#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(202503);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/16");
script_cve_id(
"CVE-2023-1393",
"CVE-2023-5367",
"CVE-2023-5380",
"CVE-2024-31080",
"CVE-2024-31081",
"CVE-2024-31082",
"CVE-2024-31083"
);
script_name(english:"EulerOS 2.0 SP9 : xorg-x11-server (EulerOS-SA-2024-1952)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the xorg-x11-server package installed, the EulerOS installation on the remote host is
affected by the following vulnerabilities :
A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation.
If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a
dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free
later.(CVE-2023-1393)
A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect
calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function
in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible
escalation of privileges or denial of service.(CVE-2023-5367)
A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and
legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if
the pointer is warped from within a window on one screen to the root window of the other screen and if the
original window is destroyed followed by another window being destroyed.(CVE-2023-5380)
A heap-based buffer over-read vulnerability was found in the X.org server's ProcAppleDRICreatePixmap()
function. This issue occurs when byte-swapped length values are used in replies, potentially leading to
memory leakage and segmentation faults, particularly when triggered by a client with a different
endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory
values and then transmit them back to the client until encountering an unmapped page, resulting in a
crash. Despite the attacker's inability to control the specific memory copied into the replies, the small
length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds
reads.(CVE-2024-31082)
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice()
function. This issue occurs when byte-swapped length values are used in replies, potentially leading to
memory leakage and segmentation faults, particularly when triggered by a client with a different
endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory
values and then transmit them back to the client until encountering an unmapped page, resulting in a
crash. Despite the attacker's inability to control the specific memory copied into the replies, the small
length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds
reads.(CVE-2024-31081)
A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue
occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially
resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently,
ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer
is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the
system by sending a specially crafted request.(CVE-2024-31083)
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents()
function. This issue occurs when byte-swapped length values are used in replies, potentially leading to
memory leakage and segmentation faults, particularly when triggered by a client with a different
endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory
values and then transmit them back to the client until encountering an unmapped page, resulting in a
crash. Despite the attacker's inability to control the specific memory copied into the replies, the small
length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds
reads.(CVE-2024-31080)
Tenable has extracted the preceding description block directly from the EulerOS xorg-x11-server security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-1952
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4b356171");
script_set_attribute(attribute:"solution", value:
"Update the affected xorg-x11-server packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-5367");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/29");
script_set_attribute(attribute:"patch_publication_date", value:"2024/07/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:xorg-x11-server-help");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP9");
var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(9)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP9");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP9", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
var flag = 0;
var pkgs = [
"xorg-x11-server-help-1.20.6-5.h14.eulerosv2r9"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"9", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xorg-x11-server");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation