This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2023-3055.NASLEulerOS Virtualization 2.11.1 : libtiff (EulerOS-SA-2023-3055)
6.9 Medium
AI Score
Confidence
Low
According to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
-
libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. (CVE-2023-25433)
-
loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image. (CVE-2023-26965)
-
libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. (CVE-2023-26966)
-
A null pointer dereference issue was found in Libtiff’s tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.
(CVE-2023-2908) -
A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. (CVE-2023-3316)
-
A memory leak flaw was found in Libtiff’s tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.
(CVE-2023-3576)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(188695);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
script_cve_id(
"CVE-2023-2908",
"CVE-2023-3316",
"CVE-2023-3576",
"CVE-2023-25433",
"CVE-2023-26965",
"CVE-2023-26966"
);
script_name(english:"EulerOS Virtualization 2.11.1 : libtiff (EulerOS-SA-2023-3055)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :
- libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of
buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. (CVE-2023-25433)
- loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted
TIFF image. (CVE-2023-26965)
- libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian
TIFF file and specifies the output to be big-endian. (CVE-2023-26966)
- A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker
to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes
undefined behavior. This will result in an application crash, eventually leading to a denial of service.
(CVE-2023-2908)
- A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path
or a path that requires permissions like /dev/null) while specifying zones. (CVE-2023-3316)
- A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a
TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes
this memory leak issue, resulting an application crash, eventually leading to a denial of service.
(CVE-2023-3576)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-3055
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bc45d3b1");
script_set_attribute(attribute:"solution", value:
"Update the affected libtiff packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-3316");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/14");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.11.1");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.11.1") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.11.1");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
var flag = 0;
var pkgs = [
"libtiff-4.3.0-9.h19.eulerosv2r11"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25433
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26965
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26966
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2908
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3316
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3576
www.nessus.org/u?bc45d3b1
Related
