EulerOS 2.0 SP3 : systemd (EulerOS-SA-2019-1998)

2019-09-2400:00:00

www.tenable.com

According to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

It has been discovered that systemd-tmpfiles mishandles symbolic links present in non-terminal path components.
In some configurations a local user could use this vulnerability to get access to arbitrary files when the systemd-tmpfiles command is run.(CVE-2018-6954)
An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ‘:’. A local attacker can use this flaw to disclose process memory data.(CVE-2018-16866)
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (CVE-2018-15686)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(129191);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/07/30");

  script_cve_id(
    "CVE-2018-15686",
    "CVE-2018-16866",
    "CVE-2018-6954"
  );

  script_name(english:"EulerOS 2.0 SP3 : systemd (EulerOS-SA-2019-1998)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the systemd packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - It has been discovered that systemd-tmpfiles mishandles
    symbolic links present in non-terminal path components.
    In some configurations a local user could use this
    vulnerability to get access to arbitrary files when the
    systemd-tmpfiles command is run.(CVE-2018-6954)

  - An out of bounds read was discovered in
    systemd-journald in the way it parses log messages that
    terminate with a colon ':'. A local attacker can use
    this flaw to disclose process memory
    data.(CVE-2018-16866)

  - A vulnerability in unit_deserialize of systemd allows
    an attacker to supply arbitrary state across systemd
    re-execution via NotifyAccess. This can be used to
    improperly influence systemd execution and possibly
    lead to root privilege escalation. (CVE-2018-15686)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1998
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2ae55474");
  script_set_attribute(attribute:"solution", value:
"Update the affected systemd packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6954");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libgudev1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libgudev1-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-python");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-sysv");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["libgudev1-219-30.6.h69",
        "libgudev1-devel-219-30.6.h69",
        "systemd-219-30.6.h69",
        "systemd-devel-219-30.6.h69",
        "systemd-libs-219-30.6.h69",
        "systemd-python-219-30.6.h69",
        "systemd-sysv-219-30.6.h69"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemd");
}

VendorProductVersionCPE
huaweieuleroslibgudev1p-cpe:/a:huawei:euleros:libgudev1
huaweieuleroslibgudev1-develp-cpe:/a:huawei:euleros:libgudev1-devel
huaweieulerossystemdp-cpe:/a:huawei:euleros:systemd
huaweieulerossystemd-develp-cpe:/a:huawei:euleros:systemd-devel
huaweieulerossystemd-libsp-cpe:/a:huawei:euleros:systemd-libs
huaweieulerossystemd-pythonp-cpe:/a:huawei:euleros:systemd-python
huaweieulerossystemd-sysvp-cpe:/a:huawei:euleros:systemd-sysv
huaweieuleros2.0cpe:/o:huawei:euleros:2.0

Vendor	Product	Version	CPE
huawei	euleros	libgudev1	p-cpe:/a:huawei:euleros:libgudev1
huawei	euleros	libgudev1-devel	p-cpe:/a:huawei:euleros:libgudev1-devel
huawei	euleros	systemd	p-cpe:/a:huawei:euleros:systemd
huawei	euleros	systemd-devel	p-cpe:/a:huawei:euleros:systemd-devel
huawei	euleros	systemd-libs	p-cpe:/a:huawei:euleros:systemd-libs
huawei	euleros	systemd-python	p-cpe:/a:huawei:euleros:systemd-python
huawei	euleros	systemd-sysv	p-cpe:/a:huawei:euleros:systemd-sysv
huawei	euleros	2.0	cpe:/o:huawei:euleros:2.0