Lucene search
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-2489.NASLHistoryDec 11, 2020 - 12:00 a.m.
Debian DLA-2489-1 : minidlna security update
2020-12-1100:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
25
debian 9 stretch
minidlna
lightweight dlna/upnp-av server
security update
input validation
arbitrary code
callstranger
upnp vulnerability
version 1.1.6+dfsg-1+deb9u1
security tracker page
tenable network security
scanner
CVSS2
7.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:P/I:N/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
8.3
Confidence
High
EPSS
0.071
Percentile
94.0%
It was discovered that missing input validation in minidlna, a lightweight DLNA/UPnP-AV server could result in the execution of arbitrary code. In addition minidlna was susceptible to the βCallStrangerβ UPnP vulnerability.
For Debian 9 stretch, these problems have been fixed in version 1.1.6+dfsg-1+deb9u1.
We recommend that you upgrade your minidlna packages.
For the detailed security status of minidlna please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/minidlna
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2489-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(144092);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/02");
script_cve_id("CVE-2020-12695", "CVE-2020-28926");
script_xref(name:"CEA-ID", value:"CEA-2020-0050");
script_name(english:"Debian DLA-2489-1 : minidlna security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security update.");
script_set_attribute(attribute:"description", value:
"It was discovered that missing input validation in minidlna, a
lightweight DLNA/UPnP-AV server could result in the execution of
arbitrary code. In addition minidlna was susceptible to the
'CallStranger' UPnP vulnerability.
For Debian 9 stretch, these problems have been fixed in version
1.1.6+dfsg-1+deb9u1.
We recommend that you upgrade your minidlna packages.
For the detailed security status of minidlna please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/minidlna
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2020/12/msg00017.html");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/stretch/minidlna");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/minidlna");
script_set_attribute(attribute:"solution", value:
"Upgrade the affected minidlna package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12695");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-28926");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/08");
script_set_attribute(attribute:"patch_publication_date", value:"2020/12/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/12/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:minidlna");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"9.0", prefix:"minidlna", reference:"1.1.6+dfsg-1+deb9u1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | minidlna | p-cpe:/a:debian:debian_linux:minidlna |
| debian | debian_linux | 9.0 | cpe:/o:debian:debian_linux:9.0 |
Related
osv
osv
minidlna vulnerabilities
2021-02-04 19:46:50
minidlna - security update
2020-12-07 00:00:00
minidlna - security update
2020-12-10 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-4722-1)
2021-02-05 00:00:00
Debian: Security Advisory (DSA-4806-1)
2020-12-08 00:00:00
Mageia: Security Advisory (MGASA-2020-0483)
2022-01-28 00:00:00
suse
suse
Security update for minidlna (moderate)
2020-12-10 00:00:00
Security update for minidlna (moderate)
2020-12-07 00:00:00
Security update for minidlna (moderate)
2020-12-04 00:00:00
ubuntu
ubuntu
ReadyMedia (MiniDLNA) vulnerabilities
2021-02-04 00:00:00
GUPnP vulnerability
2020-09-15 00:00:00
wpa_supplicant and hostapd vulnerabilities
2021-02-11 00:00:00
nessus
nessus
openSUSE Security Update : minidlna (openSUSE-2020-2160)
2020-12-07 00:00:00
openSUSE Security Update : minidlna (openSUSE-2020-2194)
2020-12-08 00:00:00
debian
debian
[SECURITY] [DSA 4806-1] minidlna security update
2020-12-07 21:38:44
[SECURITY] [DLA 2489-1] minidlna security update
2020-12-10 21:27:37
[SECURITY] [DLA 2315-1] gupnp security update
2020-08-06 17:27:49
mageia
mageia
Updated minidlna packages fix security vulnerabilities
2020-12-31 17:32:44
Updated gssdp/gupnp packages fix security vulnerability
2020-08-01 02:25:42
cvelist
cvelist
CVE-2020-28926
2020-11-30 17:09:40
CVE-2020-12695
2020-06-08 16:45:04
prion
prion
Buffer overflow
2020-11-30 18:15:00
Open redirect
2020-06-08 17:15:00
archlinux
archlinux
[ASA-202012-15] minidlna: arbitrary code execution
2020-12-09 00:00:00
[ASA-202012-16] hostapd: proxy injection
2020-12-09 00:00:00
cnvd
cnvd
ReadyMedia Remote Code Execution Vulnerability
2020-12-01 00:00:00
cve
cve
CVE-2020-28926
2020-11-30 18:15:11
CVE-2020-12695
2020-06-08 17:15:09
ubuntucve
ubuntucve
CVE-2020-28926
2020-11-30 00:00:00
CVE-2020-12695
2020-06-08 00:00:00
alpinelinux
alpinelinux
CVE-2020-28926
2020-11-30 18:15:11
CVE-2020-12695
2020-06-08 17:15:09
debiancve
debiancve
CVE-2020-28926
2020-11-30 18:15:11
CVE-2020-12695
2020-06-08 17:15:09
nvd
nvd
CVE-2020-28926
2020-11-30 18:15:11
CVE-2020-12695
2020-06-08 17:15:09
veracode
veracode
Remote Code Execution (RCE)
2020-12-08 00:44:29
Authorization Bypass
2020-08-06 21:39:39
githubexploit
githubexploit
Exploit for Classic Buffer Overflow in Readymedia Project Readymedia
2021-03-03 21:06:56
Exploit for Incorrect Default Permissions in Ui Unifi Controller
2020-06-10 14:18:34
Exploit for Incorrect Default Permissions in Ui Unifi Controller
2020-06-08 07:37:49
fedora
fedora
[SECURITY] Fedora 31 Update: gupnp-1.0.5-1.fc31
2020-07-09 01:07:00
[SECURITY] Fedora 31 Update: gssdp-1.0.4-1.fc31
2020-07-09 01:06:59
[SECURITY] Fedora 32 Update: hostapd-2.9-4.fc32
2020-07-03 01:19:38
oraclelinux
oraclelinux
gssdp and gupnp security update
2021-05-25 00:00:00
redhatcve
redhatcve
CVE-2020-12695
2020-06-10 14:56:13
redhat
redhat
(RHSA-2021:1789) Moderate: gssdp and gupnp security update
2021-05-18 06:05:22
cert
cert
attackerkb
attackerkb
CVE-2020-12695 "CallStranger"
2020-06-08 00:00:00
almalinux
almalinux
Moderate: gssdp and gupnp security update
2021-05-18 06:05:22
cisa
cisa
CERT/CC Reports Vulnerability in Universal Plug and Play Protocol
2020-06-09 00:00:00
rocky
rocky
gssdp and gupnp security update
2021-05-18 06:05:22
huawei
huawei
Security Advisory - CallStranger Vulnerability in UPnP Protocol
2020-07-01 00:00:00
malwarebytes
malwarebytes
thn
thn
Critical Root RCE Bug Affects Multiple Netgear SOHO Router Models
2021-11-18 12:59:00
slackware
slackware
[slackware-security] wpa_supplicant
2021-12-29 03:28:00
CVSS2
7.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:P/I:N/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
8.3
Confidence
High
EPSS
0.071
Percentile
94.0%
Related for DEBIAN_DLA-2489.NASL