Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2020-1995.NASL
HistorySep 29, 2020 - 12:00 a.m.

EulerOS Virtualization for ARM 64 3.0.6.0 : glusterfs (EulerOS-SA-2020-1995)

2020-09-2900:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
16

8.8 High

AI Score

Confidence

High

JSON

According to the versions of the glusterfs packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  • A buffer overflow on the heap was found in gf_getspec_req RPC request. A remote, authenticated attacker could use this flaw to cause denial of service and read arbitrary files on glusterfs server node.(CVE-2018-14653)

  • It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.(CVE-2018-14651)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(140943);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/19");

  script_cve_id("CVE-2018-14651", "CVE-2018-14653");

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.6.0 : glusterfs (EulerOS-SA-2020-1995)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the glusterfs packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - A buffer overflow on the heap was found in
    gf_getspec_req RPC request. A remote, authenticated
    attacker could use this flaw to cause denial of service
    and read arbitrary files on glusterfs server
    node.(CVE-2018-14653)

  - It was found that the fix for CVE-2018-10927,
    CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and
    CVE-2018-10926 was incomplete. A remote, authenticated
    attacker could use one of these flaws to execute
    arbitrary code, create arbitrary files, or cause denial
    of service on glusterfs server nodes via symlinks to
    relative paths.(CVE-2018-14651)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1995
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5fc42705");
  script_set_attribute(attribute:"solution", value:
"Update the affected glusterfs packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-14653");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/09/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glusterfs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glusterfs-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glusterfs-client-xlators");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glusterfs-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.6.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["glusterfs-4.1.5-1.h3.eulerosv2r8",
        "glusterfs-api-4.1.5-1.h3.eulerosv2r8",
        "glusterfs-client-xlators-4.1.5-1.h3.eulerosv2r8",
        "glusterfs-libs-4.1.5-1.h3.eulerosv2r8"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glusterfs");
}
VendorProductVersionCPE
huaweieulerosglusterfsp-cpe:/a:huawei:euleros:glusterfs
huaweieulerosglusterfs-apip-cpe:/a:huawei:euleros:glusterfs-api
huaweieulerosglusterfs-client-xlatorsp-cpe:/a:huawei:euleros:glusterfs-client-xlators
huaweieulerosglusterfs-libsp-cpe:/a:huawei:euleros:glusterfs-libs
huaweieulerosuvpcpe:/o:huawei:euleros:uvp:3.0.6.0

Related

openvas 16
nessus 24
redhatcve 7
osv 10
ubuntucve 7
cvelist 7
veracode 8
prion 7
cve 7
debiancve 7
debian 3
fedora 5
redhat 5
centos 1
ibm 1
gentoo 1
suse 1
ubuntu 1
openvas
openvas
Huawei EulerOS: Security Advisory for glusterfs (EulerOS-SA-2020-1995)
2020-09-29 00:00:00
Huawei EulerOS: Security Advisory for glusterfs (EulerOS-SA-2020-1850)
2020-08-31 00:00:00
Debian: Security Advisory (DLA-1565-1)
2018-11-05 00:00:00
nessus
nessus
EulerOS 2.0 SP8 : glusterfs (EulerOS-SA-2020-1850)
2020-08-28 00:00:00
Debian DLA-1565-1 : glusterfs security update
2018-11-06 00:00:00
EulerOS 2.0 SP5 : glusterfs (EulerOS-SA-2020-1103)
2020-02-24 00:00:00
redhatcve
redhatcve
CVE-2018-14651
2018-10-31 08:19:46
CVE-2018-14653
2018-10-31 08:20:42
CVE-2018-10930
2019-10-09 22:51:17
osv
osv
CVE-2018-14651
2018-10-31 22:29:00
glusterfs - security update
2018-09-20 00:00:00
glusterfs vulnerabilities
2021-03-15 20:13:19
ubuntucve
ubuntucve
CVE-2018-14651
2018-10-31 00:00:00
CVE-2018-14653
2018-10-31 00:00:00
CVE-2018-10926
2018-09-04 00:00:00
cvelist
cvelist
CVE-2018-14651
2018-10-31 21:00:00
CVE-2018-14653
2018-10-31 19:00:00
CVE-2018-10930
2018-09-04 16:00:00
veracode
veracode
Symlink Attack
2018-11-01 08:59:27
Symlink Attack
2019-01-15 09:25:31
Denial Of Service (DoS)
2018-11-01 06:05:40
prion
prion
Code injection
2018-10-31 22:29:00
Heap overflow
2018-10-31 19:29:00
Design/Logic Flaw
2018-09-04 15:29:00
cve
cve
CVE-2018-14651
2018-10-31 22:29:00
CVE-2018-14653
2018-10-31 19:29:00
CVE-2018-10930
2018-09-04 16:29:00
debiancve
debiancve
CVE-2018-14651
2018-10-31 22:29:00
CVE-2018-14653
2018-10-31 19:29:00
CVE-2018-10926
2018-09-04 15:29:00
debian
debian
[SECURITY] [DLA 1565-1] glusterfs security update
2018-11-05 18:02:46
[SECURITY] [DLA 1510-1] glusterfs security update
2018-09-20 10:16:49
[SECURITY] [DLA 2806-1] glusterfs security update
2021-11-01 23:25:30
fedora
fedora
[SECURITY] Fedora 29 Update: glusterfs-4.1.5-1.fc29
2018-10-02 19:35:20
[SECURITY] Fedora 28 Update: glusterfs-4.1.4-1.fc28
2018-09-11 17:04:27
[SECURITY] Fedora 27 Update: glusterfs-3.12.14-1.fc27
2018-09-28 17:14:10
redhat
redhat
(RHSA-2018:2607) Important: Red Hat Gluster Storage security, bug fix, and enhancement update
2018-09-04 06:13:53
(RHSA-2018:2608) Important: Red Hat Gluster Storage security, bug fix, and enhancement update
2018-09-04 06:13:58
(RHSA-2018:3470) Moderate: Red Hat Virtualization security and bug fix update
2018-11-05 13:52:45
centos
centos
glusterfs, python2 security update
2018-11-15 18:45:47
ibm
ibm
Security Bulletin: Vulnerabilities in glusterfs affect PowerKVM
2018-12-17 14:30:02
gentoo
gentoo
GlusterFS: Multiple Vulnerabilities
2019-04-02 00:00:00
suse
suse
Security update for glusterfs (moderate)
2020-01-20 00:00:00
ubuntu
ubuntu
GlusterFS vulnerabilities
2021-03-15 00:00:00

8.8 High

AI Score

Confidence

High

JSON
Related for EULEROS_SA-2020-1995.NASL
openvas16nessus24redhatcve7osv10ubuntucve7cvelist7veracode8prion7cve7debiancve7debian3fedora5redhat5centos1ibm1gentoo1suse1ubuntu1