Fedora 37 : matrix-synapse / python-matrix-common / rust-pythonize (2023-c0696d7b53)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2023-c0696d7b53
#

include('compat.inc');

if (description)
{
  script_id(181518);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/18");

  script_cve_id("CVE-2022-39335", "CVE-2022-39374", "CVE-2023-32323");
  script_xref(name:"FEDORA", value:"2023-c0696d7b53");

  script_name(english:"Fedora 37 : matrix-synapse / python-matrix-common / rust-pythonize (2023-c0696d7b53)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Fedora 37 host has packages installed that are affected by multiple vulnerabilities as referenced in the
FEDORA-2023-c0696d7b53 advisory.

  - Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If
    Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick
    Synapse into accepting previously rejected events into its view of the current state of that room. This
    can be exploited in a way that causes all further messages and state changes sent in that room from the
    vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0 (CVE-2022-39374)

  - Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The
    Matrix Federation API allows remote homeservers to request the authorization events in a room. This is
    necessary so that a homeserver receiving some events can validate that those events are legitimate and
    permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver
    answering a query for authorization events does not sufficiently check that the requesting server should
    be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to
    upgrade. (CVE-2022-39335)

  - Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A
    malicious user on a Synapse homeserver X with permission to create certain state events can disable
    outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are
    not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of
    `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse
    1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse
    1.74 or newer urgently. (CVE-2023-32323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2023-c0696d7b53");
  script_set_attribute(attribute:"solution", value:
"Update the affected matrix-synapse, python-matrix-common and / or rust-pythonize packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-39335");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:37");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:matrix-synapse");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:python-matrix-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rust-pythonize");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Fedora Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Fedora' >!< os_release) audit(AUDIT_OS_NOT, 'Fedora');
var os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
os_ver = os_ver[1];
if (! preg(pattern:"^37([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 37', 'Fedora ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);

var pkgs = [
    {'reference':'matrix-synapse-1.80.0-5.fc37', 'release':'FC37', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python-matrix-common-1.3.0-7.fc37', 'release':'FC37', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rust-pythonize-0.19.0-1.fc37', 'release':'FC37', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (reference && _release) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'matrix-synapse / python-matrix-common / rust-pythonize');
}