EulerOS Virtualization 3.0.6.6 : chrony (EulerOS-SA-2021-1462)

2021-03-1000:00:00

www.tenable.com

5.9 Medium

AI Score

Confidence

High

JSON

According to the version of the chrony packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :

A flaw was found in chrony versions before 3.5.1 when creating the PID file under the /var/run/chrony folder.
The file is created during chronyd startup while still running as the root user, and when it’s opened for writing, chronyd does not check for an existing symbolic link with the same file name. This flaw allows an attacker with privileged access to create a symlink with the default PID file name pointing to any destination file in the system, resulting in data loss and a denial of service due to the path traversal.(CVE-2020-14367)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(147595);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/10");

  script_cve_id("CVE-2020-14367");

  script_name(english:"EulerOS Virtualization 3.0.6.6 : chrony (EulerOS-SA-2021-1462)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to the version of the chrony packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerability :

  - A flaw was found in chrony versions before 3.5.1 when
    creating the PID file under the /var/run/chrony folder.
    The file is created during chronyd startup while still
    running as the root user, and when it's opened for
    writing, chronyd does not check for an existing
    symbolic link with the same file name. This flaw allows
    an attacker with privileged access to create a symlink
    with the default PID file name pointing to any
    destination file in the system, resulting in data loss
    and a denial of service due to the path
    traversal.(CVE-2020-14367)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1462
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?81bf98ca");
  script_set_attribute(attribute:"solution", value:
"Update the affected chrony package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-14367");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2021/03/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/03/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:chrony");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:mpich-3.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.6");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.6.6") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.6");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["chrony-3.2-2.h1.eulerosv2r7",
        "mpich-3.2-3.2-2.h1.eulerosv2r7"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_NOTE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chrony");
}

VendorProductVersionCPE
huaweieuleroschronyp-cpe:/a:huawei:euleros:chrony
huaweieulerosmpich-3.2p-cpe:/a:huawei:euleros:mpich-3.2
huaweieulerosuvpcpe:/o:huawei:euleros:uvp:3.0.6.6

Vendor	Product	Version	CPE
huawei	euleros	chrony	p-cpe:/a:huawei:euleros:chrony
huawei	euleros	mpich-3.2	p-cpe:/a:huawei:euleros:mpich-3.2
huawei	euleros	uvp	cpe:/o:huawei:euleros:uvp:3.0.6.6