According to the versions of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(126277);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2018-20102",
"CVE-2018-20103",
"CVE-2018-20615"
);
script_name(english:"EulerOS 2.0 SP8 : haproxy (EulerOS-SA-2019-1650)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the haproxy package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- HAProxy is a TCP/HTTP reverse proxy which is
particularly suited for high availability environments.
Indeed, it can: - route HTTP requests depending on
statically assigned cookies - spread load among several
servers while assuring server persistence through the
use of HTTP cookies - switch to backup servers in the
event a main one fails - accept connections to special
ports dedicated to service monitoring - stop accepting
connections without breaking existing ones - add,
modify, and delete HTTP headers in both directions -
block requests matching particular patterns - report
detailed status to authenticated users from a URI
intercepted from the applicationSecurity Fix(es):An
out-of-bounds read issue was discovered in the HTTP/2
protocol decoder in HAProxy 1.8.x and 1.9.x through
1.9.0 which can result in a crash. The processing of
the PRIORITY flag in a HEADERS frame requires 5 extra
bytes, and while these bytes are skipped, the total
frame length was not re-checked to make sure they were
present in the frame.(CVE-2018-20615)An issue was
discovered in dns.c in HAProxy through 1.8.14. In the
case of a compressed pointer, a crafted packet can
trigger infinite recursion by making the pointer point
to itself, or create a long chain of valid pointers
resulting in stack exhaustion.(CVE-2018-20103)An
out-of-bounds read in dns_validate_dns_response in
dns.c was discovered in HAProxy through 1.8.14. Due to
a missing check when validating DNS responses, remote
attackers might be able read the 16 bytes corresponding
to an AAAA record from the non-initialized part of the
buffer, possibly accessing anything that was left on
the stack, or even past the end of the 8193-byte
buffer, depending on the value of
accepted_payload_size.(CVE-2018-20102)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1650
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?971db689");
script_set_attribute(attribute:"solution", value:
"Update the affected haproxy packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"patch_publication_date", value:"2019/06/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:haproxy");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
flag = 0;
pkgs = ["haproxy-1.8.14-1.h1.eulerosv2r8"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy");
}