Lucene search

K
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2022-2488.NASL
HistoryOct 09, 2022 - 12:00 a.m.

EulerOS Virtualization 3.0.6.6 : bluez (EulerOS-SA-2022-2488)

2022-10-0900:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
euleros
virtualization
bluez
vulnerabilities
bluetoothd
heap-based buffer overflow
gatt-database
use-after-free
denial of service

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.003

Percentile

66.2%

According to the versions of the bluez packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  • An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same. (CVE-2019-8921)

  • A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn’t any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer. (CVE-2019-8922)

  • An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call. (CVE-2021-43400)

  • A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service. (CVE-2022-0204)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(165877);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/10");

  script_cve_id(
    "CVE-2019-8921",
    "CVE-2019-8922",
    "CVE-2021-43400",
    "CVE-2022-0204"
  );

  script_name(english:"EulerOS Virtualization 3.0.6.6 : bluez (EulerOS-SA-2022-2488)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the bluez packages installed, the EulerOS Virtualization installation on the remote host is
affected by the following vulnerabilities :

  - An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a
    SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server
    into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The
    root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check
    whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the
    same. (CVE-2019-8921)

  - A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on
    whether there is enough space in the destination buffer. The function simply appends all data passed to
    it. The values of all attributes that are requested are appended to the output buffer. There are no size
    checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is
    large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by
    process_request (in sdpd-request.c), which also allocates the response buffer. (CVE-2019-8922)

  - An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client
    disconnects during D-Bus processing of a WriteValue call. (CVE-2021-43400)

  - A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network
    access could pass specially crafted files causing an application to halt or crash, leading to a denial of
    service. (CVE-2022-0204)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-2488
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a43a6656");
  script_set_attribute(attribute:"solution", value:
"Update the affected bluez packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-43400");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bluez");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bluez-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bluez-libs-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.6");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.6.6") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.6");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

var flag = 0;

var pkgs = [
  "bluez-5.44-4.h7.eulerosv2r7",
  "bluez-libs-5.44-4.h7.eulerosv2r7",
  "bluez-libs-devel-5.44-4.h7.eulerosv2r7"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez");
}

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.003

Percentile

66.2%