McAfee LinuxShield <= 1.5.1 nailsd Daemon Remote Privilege Escalation

2013-09-28T00:00:00
ID MCAFEE_LINUXSHIELD_SB10007.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The version of McAfee LinuxShield installed on the remote host is 1.5.1 or earlier. As such, it potentially is affected by a privilege escalation vulnerability because it does not properly authenticate clients. An attacker able to log into the remote host can leverage this vulnerability to authenticate to the application's 'nailsd' daemon and do configuration changes as well as execute tasks subject to the privileges with which the 'nailsd' daemon operates.

                                        
                                            #TRUSTED 7c3dfee6246de65429cd184260dff6cf917fdf949d0b6945c98f2983202fff1a34ce23b8ef8699d2b7197accba6bcee6312c10f10557b2329274a1630daa12a241beb4fb8d4373555d1edea25636d402a9b47f379febacf7111e3d5c5faf6b644e998aa8bfbe9c2bf03c8a3d65627e4ef148b62bd8fed4cd1cefd584d1edefe58f6f902811b7a82c8534ad3fc32c3adb102f6291c72d25fd0284e6fb2f1d7cd69a1db0c25e50898401145ba5fcfffb978077b4d3a3c63410b6f9aa8a696487e3f2b71ad62f3770d6eed1d1ad3a0c88efc70d434c3ef1b5fc07b97451dad4b818a35deabc9d202a40733b5d0e7b71b65c062adc6b103859cf3f91e55915cbfeee439c20593bf9bfd180eb811662ceaea067823383b87c1c694719733b35fe66124b9769b364a1af2909c1f349616ba40747b6702d7a2b8487f5fc938ace736a5f1b8e1f38914b218d81d58295eec0f8ad8c63e3a7afa512ec44045b42f9f347c84b4bd47027c41ac40697589719482248c8c23d847d1d02426f04addbc6124d1c82e389f88dbe164c4f375d654e3dc5fd70d4fd3b1a5b91f95016264ccb4a3f5071832cd3104966c5818224e2088c3f055c1bbdb8b1e5e232176399f15a70726adc412e18bc3a0bf458e9da823b74ee9afe623a2f33bc41c1627e3025dc6c29c63012ebf5eff9e1cb3ecdc217c6fc5220d4efa081d89de09efe921ffd34f4f42b
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70195);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id("CVE-2009-5116");
  script_bugtraq_id(38489);
  script_xref(name:"EDB-ID", value:"14818");

  script_name(english:"McAfee LinuxShield <= 1.5.1 nailsd Daemon Remote Privilege Escalation");
  script_summary(english:"Logs in with SSH and checks the version of McAfee LinuxShield");

  script_set_attribute(attribute:"synopsis", value:
"An application on the remote host is affected by a privilege escalation
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of McAfee LinuxShield installed on the remote host is 1.5.1
or earlier.  As such, it potentially is affected by a privilege
escalation vulnerability because it does not properly authenticate
clients.  An attacker able to log into the remote host can leverage this
vulnerability to authenticate to the application's 'nailsd' daemon and
do configuration changes as well as execute tasks subject to the
privileges with which the 'nailsd' daemon operates.");
  script_set_attribute(attribute:"see_also", value:"http://sotiriu.de/adv/NSOADV-2010-004.txt");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Mar/26");
  script_set_attribute(attribute:"solution", value:
"Upgrade to LinuxShield 1.5.1 if necessary and install hotfix
HF550192");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/03/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/02/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:linuxshield:1.5.1");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled");
  script_require_ports("Services/ssh", 22);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if ("Linux" >!< get_kb_item_or_exit("Host/uname")) audit(AUDIT_OS_NOT, "Linux");

hotfixable_ver = "1.5.1";
hotfix = "HF550192";
cat_config_cmd = "cat /opt/NAI/LinuxShield/etc/config.xml";
cat_hfversion_cmd = "cat /opt/NAI/LinuxShield/etc/HF-Version";

port = kb_ssh_transport();

ret = ssh_open_connection();
if (ret == 0) audit(AUDIT_SVC_FAIL, "SSH", port);

cat_config_output = ssh_cmd(cmd:cat_config_cmd, nosh:TRUE, nosudo:FALSE);
if (
  isnull(cat_config_output) ||
  !eregmatch(pattern:"<InstalledPath>__NAILS_INSTALL__</InstalledPath>", string:cat_config_output)
)
{
  ssh_close_connection();
  audit(AUDIT_NOT_INST, "McAfee LinuxShield");
}

matches = eregmatch(pattern:"<Version>([0-9]+\.[0-9]+\.[0-9]+)</Version>", string:cat_config_output);
if (isnull(matches))
{
  ssh_close_connection();
  audit(AUDIT_VER_FAIL, "McAfee LinuxShield");
}

ver = matches[1];

# We treat a missing HF-Version file and an empty one the same way
cat_hfversion_output = ssh_cmd(cmd:cat_hfversion_cmd, nosh:TRUE, nosudo:FALSE);
if (isnull(cat_hfversion_output)) cat_hfversion_output = "";
ssh_close_connection();

# If this is 1.5.1, has the hotfix been applied?
if (ver == hotfixable_ver && egrep(pattern:"^" + hotfix + "$", string:cat_hfversion_output)) audit(AUDIT_PATCH_INSTALLED, hotfix);

# If this is not 1.5.1, is it > 1.5.1?
if (ver_compare(ver:ver, fix:hotfixable_ver, strict:FALSE) == 1)  audit(AUDIT_INST_VER_NOT_VULN, "McAfee LinuxShield", ver);

if (report_verbosity > 0)
{
  vuln_report += '\n  Version       : ' + ver +
                 '\n  Fixed version : ' + hotfixable_ver + " with " + hotfix + " applied" +
                 '\n';
  security_warning(port:0, extra:vuln_report);
}
else security_warning(0);