EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2024-1696)

2024-05-1700:00:00

www.tenable.com

euleros virtualization

php

xml functions

libxml

imagemagick

vulnerability

cve-2023-3823

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.2%

JSON

According to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded.
This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. (CVE-2023-3823)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(197219);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/07");

  script_cve_id("CVE-2023-3823");
  script_xref(name:"IAVA", value:"2023-A-0423-S");

  script_name(english:"EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2024-1696)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is
affected by the following vulnerabilities :

  - In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions
    rely on libxml global state to track configuration variables, like whether external entities are loaded.
    This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate
    function. However, since the state is process-global, other modules - such as ImageMagick - may also use
    this library within the same process, and change that global state for their internal purposes, and leave
    it in a state where external entities loading is enabled. This can lead to the situation where external
    XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to
    PHP. This vulnerable state may persist in the same process across many requests, until the process is shut
    down. (CVE-2023-3823)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-1696
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?525e9951");
  script_set_attribute(attribute:"solution", value:
"Update the affected php packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-3823");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/05/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-fpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-process");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.6.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "php-7.2.10-1.h36.eulerosv2r8",
  "php-cli-7.2.10-1.h36.eulerosv2r8",
  "php-common-7.2.10-1.h36.eulerosv2r8",
  "php-fpm-7.2.10-1.h36.eulerosv2r8",
  "php-gd-7.2.10-1.h36.eulerosv2r8",
  "php-ldap-7.2.10-1.h36.eulerosv2r8",
  "php-odbc-7.2.10-1.h36.eulerosv2r8",
  "php-pdo-7.2.10-1.h36.eulerosv2r8",
  "php-process-7.2.10-1.h36.eulerosv2r8",
  "php-recode-7.2.10-1.h36.eulerosv2r8",
  "php-soap-7.2.10-1.h36.eulerosv2r8",
  "php-xml-7.2.10-1.h36.eulerosv2r8",
  "php-xmlrpc-7.2.10-1.h36.eulerosv2r8"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
}

VendorProductVersionCPE
huaweieulerosphp-odbcp-cpe:/a:huawei:euleros:php-odbc
huaweieulerosphp-pdop-cpe:/a:huawei:euleros:php-pdo
huaweieulerosphpp-cpe:/a:huawei:euleros:php
huaweieulerosphp-xmlp-cpe:/a:huawei:euleros:php-xml
huaweieulerosphp-clip-cpe:/a:huawei:euleros:php-cli
huaweieulerosphp-processp-cpe:/a:huawei:euleros:php-process
huaweieulerosphp-xmlrpcp-cpe:/a:huawei:euleros:php-xmlrpc
huaweieulerosphp-gdp-cpe:/a:huawei:euleros:php-gd
huaweieulerosphp-fpmp-cpe:/a:huawei:euleros:php-fpm
huaweieulerosuvpcpe:/o:huawei:euleros:uvp:3.0.6.0

Vendor	Product	Version	CPE
huawei	euleros	php-odbc	p-cpe:/a:huawei:euleros:php-odbc
huawei	euleros	php-pdo	p-cpe:/a:huawei:euleros:php-pdo
huawei	euleros	php	p-cpe:/a:huawei:euleros:php
huawei	euleros	php-xml	p-cpe:/a:huawei:euleros:php-xml
huawei	euleros	php-cli	p-cpe:/a:huawei:euleros:php-cli
huawei	euleros	php-process	p-cpe:/a:huawei:euleros:php-process
huawei	euleros	php-xmlrpc	p-cpe:/a:huawei:euleros:php-xmlrpc
huawei	euleros	php-gd	p-cpe:/a:huawei:euleros:php-gd
huawei	euleros	php-fpm	p-cpe:/a:huawei:euleros:php-fpm
huawei	euleros	uvp	cpe:/o:huawei:euleros:uvp:3.0.6.0