EulerOS 2.0 SP8 : haproxy (EulerOS-SA-2019-1650)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(126277);
  script_version("1.16");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id(
    "CVE-2018-20102",
    "CVE-2018-20103",
    "CVE-2018-20615"
  );

  script_name(english:"EulerOS 2.0 SP8 : haproxy (EulerOS-SA-2019-1650)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the haproxy package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - HAProxy is a TCP/HTTP reverse proxy which is
    particularly suited for high availability environments.
    Indeed, it can: - route HTTP requests depending on
    statically assigned cookies - spread load among several
    servers while assuring server persistence through the
    use of HTTP cookies - switch to backup servers in the
    event a main one fails - accept connections to special
    ports dedicated to service monitoring - stop accepting
    connections without breaking existing ones - add,
    modify, and delete HTTP headers in both directions -
    block requests matching particular patterns - report
    detailed status to authenticated users from a URI
    intercepted from the applicationSecurity Fix(es):An
    out-of-bounds read issue was discovered in the HTTP/2
    protocol decoder in HAProxy 1.8.x and 1.9.x through
    1.9.0 which can result in a crash. The processing of
    the PRIORITY flag in a HEADERS frame requires 5 extra
    bytes, and while these bytes are skipped, the total
    frame length was not re-checked to make sure they were
    present in the frame.(CVE-2018-20615)An issue was
    discovered in dns.c in HAProxy through 1.8.14. In the
    case of a compressed pointer, a crafted packet can
    trigger infinite recursion by making the pointer point
    to itself, or create a long chain of valid pointers
    resulting in stack exhaustion.(CVE-2018-20103)An
    out-of-bounds read in dns_validate_dns_response in
    dns.c was discovered in HAProxy through 1.8.14. Due to
    a missing check when validating DNS responses, remote
    attackers might be able read the 16 bytes corresponding
    to an AAAA record from the non-initialized part of the
    buffer, possibly accessing anything that was left on
    the stack, or even past the end of the 8193-byte
    buffer, depending on the value of
    accepted_payload_size.(CVE-2018-20102)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1650
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?971db689");
  script_set_attribute(attribute:"solution", value:
"Update the affected haproxy packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:haproxy");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["haproxy-1.8.14-1.h1.eulerosv2r8"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy");
}