Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-3481.NASL
HistoryJul 18, 2023 - 12:00 a.m.

Debian DLA-3481-1 : libusrsctp - LTS security update

2023-07-1800:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
JSON

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3481 advisory.

  • usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. (CVE-2019-20503)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3481. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(178397);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/18");

  script_cve_id("CVE-2019-20503");

  script_name(english:"Debian DLA-3481-1 : libusrsctp - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3481
advisory.

  - usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. (CVE-2019-20503)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953270");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/libusrsctp");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3481");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-20503");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/libusrsctp");
  script_set_attribute(attribute:"solution", value:
"Upgrade the libusrsctp packages.

For Debian 10 buster, this problem has been fixed in version 0.9.3.0+20190127-2+deb10u1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-20503");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libusrsctp-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libusrsctp-examples");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libusrsctp1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'libusrsctp-dev', 'reference': '0.9.3.0+20190127-2+deb10u1'},
    {'release': '10.0', 'prefix': 'libusrsctp-examples', 'reference': '0.9.3.0+20190127-2+deb10u1'},
    {'release': '10.0', 'prefix': 'libusrsctp1', 'reference': '0.9.3.0+20190127-2+deb10u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libusrsctp-dev / libusrsctp-examples / libusrsctp1');
}
VendorProductVersionCPE
debiandebian_linux10.0cpe:/o:debian:debian_linux:10.0
debiandebian_linuxlibusrsctp-devp-cpe:/a:debian:debian_linux:libusrsctp-dev
debiandebian_linuxlibusrsctp-examplesp-cpe:/a:debian:debian_linux:libusrsctp-examples
debiandebian_linuxlibusrsctp1p-cpe:/a:debian:debian_linux:libusrsctp1

Related

osv 7
debian 7
cve 1
cbl_mariner 2
redhatcve 1
veracode 2
alpinelinux 1
ubuntucve 1
prion 1
openvas 38
debiancve 1
nessus 61
oraclelinux 6
suse 4
centos 4
mageia 3
kaspersky 5
redhat 9
archlinux 3
altlinux 2
slackware 2
mozilla 3
amazon 1
fedora 3
chrome 1
apple 8
ubuntu 3
gentoo 2
mscve 1
osv
osv
CVE-2019-20503
2020-03-06 20:15:12
libusrsctp - security update
2023-07-06 00:00:00
firefox-esr - security update
2020-03-11 00:00:00
debian
debian
[SECURITY] [DLA 3481-1] libusrsctp security update
2023-07-06 22:25:50
[SECURITY] [DLA 2150-1] thunderbird security update
2020-03-20 10:00:10
[SECURITY] [DSA 4642-1] thunderbird security update
2020-03-19 22:32:44
cve
cve
CVE-2019-20503
2020-03-06 20:15:00
cbl_mariner
cbl_mariner
CVE-2019-20503 affecting package usrsctp 0.9.5.0-1
2022-06-26 03:29:33
CVE-2019-20503 affecting package usrsctp 0.9.5.0-1
2024-03-19 17:21:46
redhatcve
redhatcve
CVE-2019-20503
2020-04-05 23:11:41
veracode
veracode
Denial Of Service (DoS)
2021-03-09 04:21:44
Denial Of Service (DoS)
2020-08-06 21:30:22
alpinelinux
alpinelinux
CVE-2019-20503
2020-03-06 20:15:00
ubuntucve
ubuntucve
CVE-2019-20503
2020-03-06 00:00:00
prion
prion
Out-of-bounds
2020-03-06 20:15:00
openvas
openvas
Debian: Security Advisory (DLA-3481-1)
2023-07-18 00:00:00
Debian: Security Advisory (DLA-2140-1)
2020-03-18 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:0717-1)
2021-04-19 00:00:00
debiancve
debiancve
CVE-2019-20503
2020-03-06 20:15:00
nessus
nessus
Debian DLA-2140-1 : firefox-esr security update
2020-03-12 00:00:00
Slackware 14.2 / current : mozilla-thunderbird (SSA:2020-073-01)
2020-03-16 00:00:00
Oracle Linux 7 : thunderbird (ELSA-2020-0905)
2020-03-20 00:00:00
oraclelinux
oraclelinux
thunderbird security update
2020-03-23 00:00:00
firefox security update
2020-03-17 00:00:00
thunderbird security update
2020-07-07 00:00:00
suse
suse
Security update for MozillaThunderbird (important)
2020-03-22 00:00:00
Security update for MozillaFirefox (important)
2020-03-14 00:00:00
Security update for chromium (important)
2020-03-27 00:00:00
centos
centos
firefox security update
2020-03-25 19:17:41
thunderbird security update
2020-03-25 19:18:41
thunderbird security update
2020-03-25 19:17:21
mageia
mageia
Updated thunderbird packages fix security vulnerabilities
2020-03-14 11:35:35
Updated firefox packages fix security vulnerabilities
2020-03-14 11:35:35
Updated chromium-browser-stable packages fix security vulnerability
2020-04-01 04:56:57
kaspersky
kaspersky
KLA11688 Multiple vulnerabilities in Mozilla Firefox ESR
2020-03-10 00:00:00
KLA11701 Multiple vulnerabilities in Mozilla Thunderbird
2020-03-10 00:00:00
KLA11724 Multiple vulnerabilities in Opera
2020-03-27 00:00:00
redhat
redhat
(RHSA-2020:0918) Important: thunderbird security update
2020-03-23 07:49:11
(RHSA-2020:0914) Important: thunderbird security update
2020-03-23 07:29:42
(RHSA-2020:0816) Important: firefox security update
2020-03-16 08:03:23
archlinux
archlinux
[ASA-202003-11] thunderbird: multiple issues
2020-03-16 00:00:00
[ASA-202003-12] chromium: multiple issues
2020-03-19 00:00:00
[ASA-202003-8] firefox: multiple issues
2020-03-11 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package thunderbird version 68.6.0-alt1
2020-03-14 00:00:00
Security fix for the ALT Linux 10 package firefox-esr version 68.6.0-alt1
2020-03-10 00:00:00
slackware
slackware
[slackware-security] mozilla-thunderbird
2020-03-13 21:47:41
[slackware-security] mozilla-firefox
2020-03-10 20:37:32
mozilla
mozilla
Security Vulnerabilities fixed in Thunderbird 68.6 — Mozilla
2020-03-10 00:00:00
Security Vulnerabilities fixed in Firefox ESR 68.6 — Mozilla
2020-03-10 00:00:00
Security Vulnerabilities fixed in Firefox 74 — Mozilla
2020-03-10 00:00:00
amazon
amazon
Important: thunderbird
2020-04-20 20:48:00
fedora
fedora
[SECURITY] Fedora 32 Update: chromium-80.0.3987.149-1.fc32
2020-03-27 08:04:11
[SECURITY] Fedora 31 Update: chromium-80.0.3987.149-1.fc31
2020-03-24 01:49:34
[SECURITY] Fedora 30 Update: chromium-80.0.3987.149-1.fc30
2020-03-27 10:46:23
chrome
chrome
Stable Channel Update for Desktop
2020-03-18 00:00:00
apple
apple
About the security content of Safari 13.1.1 - Apple Support
2020-05-27 12:42:27
About the security content of Safari 13.1.1
2020-05-26 00:00:00
About the security content of tvOS 13.4.5 - Apple Support
2020-09-21 04:33:14
ubuntu
ubuntu
Firefox vulnerabilities
2020-03-11 00:00:00
Thunderbird vulnerabilities
2020-04-13 00:00:00
Thunderbird vulnerabilities
2020-04-21 00:00:00
gentoo
gentoo
Mozilla Firefox: Multiple vulnerabilities
2020-03-12 00:00:00
Mozilla Thunderbird: Multiple vulnerabilities
2020-03-14 00:00:00
mscve
mscve
Chromium Security Updates for Microsoft Edge (Chromium-Based)
2020-01-28 08:00:00
JSON
Related for DEBIAN_DLA-3481.NASL
osv7debian7cve1cbl_mariner2redhatcve1veracode2alpinelinux1ubuntucve1prion1openvas38debiancve1nessus61oraclelinux6suse4centos4mageia3kaspersky5redhat9archlinux3altlinux2slackware2mozilla3amazon1fedora3chrome1apple8ubuntu3gentoo2mscve1