Lucene search

HistoryAug 12, 2019 - 12:00 a.m.

Fedora 30 : libssh2 (2019-9d85600fc7)

2019-08-1200:00:00

www.tenable.com

A vulnerability was discovered in libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds write in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

This update, to the latest current upstream release 1.9.0, addresses this security issue and also includes a number of other bug fixes and enhancements as described in the package changelog.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2019-9d85600fc7.
#

include("compat.inc");

if (description)
{
  script_id(127521);
  script_version("1.3");
  script_cvs_date("Date: 2020/01/06");

  script_cve_id("CVE-2019-13115", "CVE-2019-3855");
  script_xref(name:"FEDORA", value:"2019-9d85600fc7");

  script_name(english:"Fedora 30 : libssh2 (2019-9d85600fc7)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A vulnerability was discovered in libssh2 before 1.9.0,
`kex_method_diffie_hellman_group_exchange_sha256_key_exchange` in
`kex.c` has an integer overflow that could lead to an out-of-bounds
write in the way packets are read from the server. A remote attacker
who compromises a SSH server may be able to execute code on the client
system when a user connects to the server.

This is related to an `_libssh2_check_length` mistake, and is
different from the various issues fixed in 1.8.1, such as
CVE-2019-3855.

This update, to the latest current upstream release 1.9.0, addresses
this security issue and also includes a number of other bug fixes and
enhancements as described in the package changelog.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-9d85600fc7"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libssh2 package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libssh2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/08/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC30", reference:"libssh2-1.9.0-1.fc30")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2");
}

VendorProductVersionCPE
fedoraprojectfedoralibssh2p-cpe:/a:fedoraproject:fedora:libssh2
fedoraprojectfedora30cpe:/o:fedoraproject:fedora:30

Vendor	Product	Version	CPE
fedoraproject	fedora	libssh2	p-cpe:/a:fedoraproject:fedora:libssh2
fedoraproject	fedora	30	cpe:/o:fedoraproject:fedora:30

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855

bodhi.fedoraproject.org/updates/FEDORA-2019-9d85600fc7

JSON

Related for FEDORA_2019-9D85600FC7.NASL