Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-3681.NASL
HistoryDec 03, 2023 - 12:00 a.m.

Debian DLA-3681-1 : amanda - LTS security update

2023-12-0300:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
2
debian 10
amanda
lts
security update
multiple vulnerabilities
information leak
privilege escalation
runtar suid program
argument checking
debian dla-3681-1
cve-2022-37703
cve-2022-37705
cve-2023-30577
nessus

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

JSON

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3681 advisory.

  • In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use opendir() as root directly without checking the path, letting the attacker provide an arbitrary path.
    (CVE-2022-37703)

  • A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary (it expects that the argument name and value are separated with a space; however, separating them with an equals sign is also supported), (CVE-2022-37705)

  • AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705. (CVE-2023-30577)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3681. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(186524);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/03");

  script_cve_id("CVE-2022-37703", "CVE-2022-37705", "CVE-2023-30577");

  script_name(english:"Debian DLA-3681-1 : amanda - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3681 advisory.

  - In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can
    abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use
    `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.
    (CVE-2022-37703)

  - A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root
    privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar
    with specific arguments that are controllable by the attacker. This program mishandles the arguments
    passed to tar binary (it expects that the argument name and value are separated with a space; however,
    separating them with an equals sign is also supported), (CVE-2022-37705)

  - AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument
    checking for runtar.c, a different vulnerability than CVE-2022-37705. (CVE-2023-30577)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021017");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/amanda");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3681");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-37703");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-37705");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-30577");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/amanda");
  script_set_attribute(attribute:"solution", value:
"Upgrade the amanda packages.

For Debian 10 buster, these problems have been fixed in version 1");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-30577");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/09/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/12/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/12/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:amanda-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:amanda-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:amanda-server");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'amanda-client', 'reference': '1:3.5.1-2+deb10u2'},
    {'release': '10.0', 'prefix': 'amanda-common', 'reference': '1:3.5.1-2+deb10u2'},
    {'release': '10.0', 'prefix': 'amanda-server', 'reference': '1:3.5.1-2+deb10u2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'amanda-client / amanda-common / amanda-server');
}
VendorProductVersionCPE
debiandebian_linuxamanda-clientp-cpe:/a:debian:debian_linux:amanda-client
debiandebian_linuxamanda-commonp-cpe:/a:debian:debian_linux:amanda-common
debiandebian_linuxamanda-serverp-cpe:/a:debian:debian_linux:amanda-server
debiandebian_linux10.0cpe:/o:debian:debian_linux:10.0

Related

osv 8
debian 1
openvas 12
nessus 17
cvelist 3
prion 3
redhatcve 3
cloudlinux 1
debiancve 3
nvd 3
cve 3
ubuntucve 3
ubuntu 4
amazon 2
fedora 5
osv
osv
amanda - security update
2023-12-03 00:00:00
CVE-2023-30577
2023-07-26 17:15:10
amanda vulnerabilities
2023-03-23 06:20:37
debian
debian
[SECURITY] [DLA 3681-1] amanda security update
2023-12-03 09:48:38
openvas
openvas
Debian: Security Advisory (DLA-3681-1)
2023-12-04 00:00:00
Huawei EulerOS: Security Advisory for amanda (EulerOS-SA-2023-3112)
2023-11-09 00:00:00
Ubuntu: Security Advisory (USN-5966-3)
2023-04-03 00:00:00
nessus
nessus
RHEL 6 : amanda (Unpatched Vulnerability)
2024-05-11 00:00:00
Fedora 38 : amanda (2023-4db1d56125)
2023-08-05 00:00:00
openSUSE 15 Security Update : amanda (openSUSE-SU-2023:0206-1)
2023-08-05 00:00:00
cvelist
cvelist
CVE-2023-30577
2023-07-26 00:00:00
CVE-2022-37703
2022-09-13 00:00:00
CVE-2022-37705
2023-04-16 00:00:00
prion
prion
Code injection
2023-07-26 17:15:00
Design/Logic Flaw
2022-09-13 20:15:00
Privilege escalation
2023-04-16 01:15:00
redhatcve
redhatcve
CVE-2023-30577
2023-08-08 18:19:48
CVE-2022-37705
2023-02-07 12:57:44
CVE-2022-37703
2022-09-14 14:44:22
cloudlinux
cloudlinux
amanda: Fix of 2 CVEs
2023-08-17 17:24:04
debiancve
debiancve
CVE-2023-30577
2023-07-26 17:15:10
CVE-2022-37705
2023-04-16 01:15:06
CVE-2022-37703
2022-09-13 20:15:09
nvd
nvd
CVE-2023-30577
2023-07-26 17:15:10
CVE-2022-37703
2022-09-13 20:15:09
CVE-2022-37705
2023-04-16 01:15:06
cve
cve
CVE-2023-30577
2023-07-26 17:15:10
CVE-2022-37703
2022-09-13 20:15:09
CVE-2022-37705
2023-04-16 01:15:06
ubuntucve
ubuntucve
CVE-2023-30577
2023-07-26 00:00:00
CVE-2022-37703
2022-09-13 00:00:00
CVE-2022-37705
2023-01-30 00:00:00
ubuntu
ubuntu
amanda vulnerabilities
2023-03-23 00:00:00
amanda regression
2023-03-23 00:00:00
amanda regression
2023-04-03 00:00:00
amazon
amazon
Medium: amanda
2023-08-17 11:39:00
Medium: amanda
2023-08-17 11:58:00
fedora
fedora
[SECURITY] Fedora 37 Update: amanda-3.5.3-1.fc37
2023-04-02 02:01:08
[SECURITY] Fedora 38 Update: amanda-3.5.3-1.fc38
2023-04-02 00:17:09
[SECURITY] Fedora 36 Update: amanda-3.5.3-1.fc36
2023-04-02 01:34:44

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

JSON
Related for DEBIAN_DLA-3681.NASL
osv8debian1openvas12nessus17cvelist3prion3redhatcve3cloudlinux1debiancve3nvd3cve3ubuntucve3ubuntu4amazon2fedora5