Debian DLA-3549-1 : ring - LTS security update

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3549. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(180270);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/30");

  script_cve_id(
    "CVE-2021-37706",
    "CVE-2021-43299",
    "CVE-2021-43300",
    "CVE-2021-43301",
    "CVE-2021-43302",
    "CVE-2021-43303",
    "CVE-2021-43804",
    "CVE-2021-43845",
    "CVE-2022-21722",
    "CVE-2022-21723",
    "CVE-2022-23537",
    "CVE-2022-23547",
    "CVE-2022-23608",
    "CVE-2022-24754",
    "CVE-2022-24763",
    "CVE-2022-24764",
    "CVE-2022-24793",
    "CVE-2022-31031",
    "CVE-2022-39244",
    "CVE-2023-27585"
  );

  script_name(english:"Debian DLA-3549-1 : ring - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3549 advisory.

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming
    STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a
    subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all
    users that use STUN. A malicious actor located within the victim's network may forge and send a specially
    crafted UDP (STUN) message that could remotely execute arbitrary code on the victim's machine. Users are
    advised to upgrade as soon as possible. There are no known workarounds. (CVE-2021-37706)

  - Stack overflow in PJSUA API when calling pjsua_player_create. An attacker-controlled 'filename' argument
    may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.
    (CVE-2021-43299)

  - Stack overflow in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument
    may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.
    (CVE-2021-43300)

  - Stack overflow in PJSUA API when calling pjsua_playlist_create. An attacker-controlled 'file_names'
    argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size
    validation. (CVE-2021-43301)

  - Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename'
    argument may cause an out-of-bounds read when the filename is shorter than 4 characters. (CVE-2021-43302)

  - Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker-controlled 'buffer' argument may
    cause a buffer overflow, since supplying an output buffer smaller than 128 characters may overflow the
    output buffer, regardless of the 'maxlen' argument supplied (CVE-2021-43303)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming
    RTCP BYE message contains a reason's length, this declared length is not checked against the actual
    received packet size, potentially resulting in an out-of-bound read access. This issue affects all users
    that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length.
    Users are advised to upgrade as soon as possible. There are no known workarounds. (CVE-2021-43804)

  - PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming
    RTCP XR message contain block, the data field is not checked against the received packet size, potentially
    resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious
    actor can send a RTCP XR message with an invalid packet size. (CVE-2021-43845)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there
    are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-
    of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch
    is available as a commit in the `master` branch. There are no known workarounds. (CVE-2022-21722)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing
    an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read
    access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in
    the `master` branch. There are no known workarounds. (CVE-2022-21723)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when
    parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications
    that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch
    (2.13.1). (CVE-2022-23537)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to
    GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability
    affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in
    the master branch. (CVE-2022-23547)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including
    2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can
    potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set
    to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior
    such as dialog list collision which eventually leading to endless loop. A patch is available in commit
    db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known
    workarounds for this issue. (CVE-2022-23608)

  - PJSIP is a free and open source multimedia communication library written in C language. In versions prior
    to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users
    who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has
    been patched in the master branch of the PJSIP repository and will be included with the next release.
    Users unable to upgrade need to check that the hashed digest data length must be equal to
    `PJSIP_MD5STRLEN` before passing to PJSIP. (CVE-2022-24754)

  - PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12
    and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML
    parsing in their apps. Users are advised to update. There are no known workarounds. (CVE-2022-24763)

  - PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior
    contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API
    `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly
    call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` should not be affected. A patch is available on
    the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
    (CVE-2022-24764)

  - PJSIP is a free and open source multimedia communication library written in C. A buffer overflow
    vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't
    affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The
    difference is that this issue is in parsing the query record `parse_rr()`, while the issue in
    CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject`
    GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting
    `nameserver_count` to zero) or use an external resolver instead. (CVE-2022-24793)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including
    2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications,
    either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using
    `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next
    release. There are no known workarounds for this issue. (CVE-2022-31031)

  - PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior
    to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow
    vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is
    available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users
    are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-39244)

  - PJSIP is a free and open source multimedia communication library written in C. A buffer overflow
    vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't
    affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793.
    The difference is that this issue is in parsing the query record `parse_query()`, while the issue in
    CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A
    workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an
    external resolver implementation instead. (CVE-2023-27585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/ring");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3549");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-37706");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43299");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43300");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43301");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43302");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43303");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43804");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43845");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-21722");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-21723");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23537");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23547");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23608");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24754");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24763");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24764");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24793");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-31031");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-39244");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-27585");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/ring");
  script_set_attribute(attribute:"solution", value:
"Upgrade the ring packages.

For Debian 10 buster, these problems have been fixed in version 20190215.1.f152c98~ds1-1+deb10u2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-37706");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-39244");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/08/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:jami");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:jami-daemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ring-daemon");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'jami', 'reference': '20190215.1.f152c98~ds1-1+deb10u2'},
    {'release': '10.0', 'prefix': 'jami-daemon', 'reference': '20190215.1.f152c98~ds1-1+deb10u2'},
    {'release': '10.0', 'prefix': 'ring', 'reference': '20190215.1.f152c98~ds1-1+deb10u2'},
    {'release': '10.0', 'prefix': 'ring-daemon', 'reference': '20190215.1.f152c98~ds1-1+deb10u2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jami / jami-daemon / ring / ring-daemon');
}