Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2013-2023 Tenable Network Security, Inc.MCAFEE_LINUXSHIELD_SB10007.NASL
HistorySep 28, 2013 - 12:00 a.m.

McAfee LinuxShield <= 1.5.1 nailsd Daemon Remote Privilege Escalation

2013-09-2800:00:00
This script is Copyright (C) 2013-2023 Tenable Network Security, Inc.
www.tenable.com
25

7.1 High

AI Score

Confidence

Low

JSON

The version of McAfee LinuxShield installed on the remote host is 1.5.1 or earlier. As such, it potentially is affected by a privilege escalation vulnerability because it does not properly authenticate clients. An attacker able to log into the remote host can leverage this vulnerability to authenticate to the application’s ‘nailsd’ daemon and do configuration changes as well as execute tasks subject to the privileges with which the ‘nailsd’ daemon operates.

#TRUSTED 5bd1f53240edda129fd982584625e4ff648f84546eb70bcfa8f4e3914a613ee1c3d5af4bcf27ab007f9c66994c3a86c9a2fc9a7eabd4824e7b64fb14510dcadb19ad7d88e13b078937b6cf7de9b39641f026d38fb69d75e894e61db8e0d72a72d6524182820edda2e118ac211f2ed32517545183a18c41766714a3a02131e898f28147b46ddafd0d912a3e0b50365b65db9194e22b3bf1032b60377f20c71f87ca019e1153d2181bf81c1cae20d08cc2ec976e43a49b6f456de5fac30ddace185e579e60f2b61d6de2da021cb72927751f437667a97e38ce63e06d842cdf4d744ad8c99d0dc2a070220fa22b7dbf61ee1efad821df9d427d1ad0e904263fd2e0811d5fd43ca44303bb512000d1cd8c52261fbb1ce8b99112296ba7c96e12f0c53fb00fd5aedeabcce188fb3f6dd867719afa558dbe80a29f38a4258cb0de2e7dd978aa2f8f3e5359a7308ce5b9f4252a759e894008e3ad0b7ee377fb1da065f0f6da7b9a9ba3982d14ce9a260c08fb20303bdbb1bcc4750f6479b26ebc5c3eda48ca2962810bcbd84d6b854528e0ae0b8f1c187e817d14ea4f78a2bed5ec1bdf64fb196bb5573e1718bd4a5e3153eef0e1b2ecf625c44d8f8c396bc9fc9f4edcd0072eaf928d698af96d5602c9a2d7f11d6232f4d7ae70342afb43c33c71b1353a80a3f67f986f36e3f88a2d5f7b41f3413a3fcaff29c9c57e514da24eaa471a
#TRUST-RSA-SHA256 8a0965d3005b56ad7f63056578f2d2e7942354d34e83081a27a1ac976d59049967f5850969a4da28df5d1a02ae83da7fc646b31c653d373922bd1e28724142ba3a427a36cbb3d55270ad089bb83c5d55c3eae8cf849505f22f364f664ddd7fdf9d8a805bd49641afac59723de9ab651d1eea02d906501fa8e57285aa54322fd632aa533417e195d2f5783016400ec22be47a0420a8e9199eeb41ebfcd6da2c5b972390bcd88254f87ae9787416c5f293a017f3aed25a9a1a309849b97ff8613da361ab822db28d5ea71ef96ca6acd37fb98703540b4b96084357e4b0658b16a9a8aece1add34b5a8857f5a02fe811489a7932a3f0577c8f2db1e83185534f47eaa4394c7655989ec12d1d247054d5aa7781c0f479f0a8d898ff159aa922e433217d4e81562e02c3e757e5a9bf721591dcfe64955a36e5f20d93b247abcc6d9d1dad6fcc92a475ef54f4a76ed3b0e58cca399495ceb8a5b53188a748ad50ad498b28bf5a1d7e053a3a7f8e51f57a7f2a53e0b8e8fe94d97e0a23c5acc6591e3a4479f86ea920427c70be8c200416ce382904fdf15c132efefc79c05aa828ed74633a36ca93fb2444cbc2e178a81b828336a7f240a778fdc3a0ed58206db27de53fe64fb1bcb7f4a957c9a6991f834676233838e7b01df71166f5f53f7d534d27498ba08fac94013c56e8daed8cfb9caddfc9b8c1a4e5945ec69709849741b17c0
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70195);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id("CVE-2009-5116");
  script_bugtraq_id(38489);
  script_xref(name:"EDB-ID", value:"14818");

  script_name(english:"McAfee LinuxShield <= 1.5.1 nailsd Daemon Remote Privilege Escalation");
  script_summary(english:"Logs in with SSH and checks the version of McAfee LinuxShield");

  script_set_attribute(attribute:"synopsis", value:
"An application on the remote host is affected by a privilege escalation
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of McAfee LinuxShield installed on the remote host is 1.5.1
or earlier.  As such, it potentially is affected by a privilege
escalation vulnerability because it does not properly authenticate
clients.  An attacker able to log into the remote host can leverage this
vulnerability to authenticate to the application's 'nailsd' daemon and
do configuration changes as well as execute tasks subject to the
privileges with which the 'nailsd' daemon operates.");
  script_set_attribute(attribute:"see_also", value:"http://sotiriu.de/adv/NSOADV-2010-004.txt");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Mar/26");
  script_set_attribute(attribute:"solution", value:
"Upgrade to LinuxShield 1.5.1 if necessary and install hotfix
HF550192");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/03/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/02/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:linuxshield:1.5.1");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2013-2023 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled");
  script_require_ports("Services/ssh", 22);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");


enable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if ("Linux" >!< get_kb_item_or_exit("Host/uname")) audit(AUDIT_OS_NOT, "Linux");

hotfixable_ver = "1.5.1";
hotfix = "HF550192";
cat_config_cmd = "cat /opt/NAI/LinuxShield/etc/config.xml";
cat_hfversion_cmd = "cat /opt/NAI/LinuxShield/etc/HF-Version";

port = kb_ssh_transport();

ret = ssh_open_connection();
if (ret == 0) audit(AUDIT_SVC_FAIL, "SSH", port);

cat_config_output = ssh_cmd(cmd:cat_config_cmd, nosh:TRUE, nosudo:FALSE);
if (
  isnull(cat_config_output) ||
  !eregmatch(pattern:"<InstalledPath>__NAILS_INSTALL__</InstalledPath>", string:cat_config_output)
)
{
  ssh_close_connection();
  audit(AUDIT_NOT_INST, "McAfee LinuxShield");
}

matches = eregmatch(pattern:"<Version>([0-9]+\.[0-9]+\.[0-9]+)</Version>", string:cat_config_output);
if (isnull(matches))
{
  ssh_close_connection();
  audit(AUDIT_VER_FAIL, "McAfee LinuxShield");
}

ver = matches[1];

# We treat a missing HF-Version file and an empty one the same way
cat_hfversion_output = ssh_cmd(cmd:cat_hfversion_cmd, nosh:TRUE, nosudo:FALSE);
if (isnull(cat_hfversion_output)) cat_hfversion_output = "";
ssh_close_connection();

# If this is 1.5.1, has the hotfix been applied?
if (ver == hotfixable_ver && egrep(pattern:"^" + hotfix + "$", string:cat_hfversion_output)) audit(AUDIT_PATCH_INSTALLED, hotfix);

# If this is not 1.5.1, is it > 1.5.1?
if (ver_compare(ver:ver, fix:hotfixable_ver, strict:FALSE) == 1)  audit(AUDIT_INST_VER_NOT_VULN, "McAfee LinuxShield", ver);

if (report_verbosity > 0)
{
  vuln_report += '\n  Version       : ' + ver +
                 '\n  Fixed version : ' + hotfixable_ver + " with " + hotfix + " applied" +
                 '\n';
  security_warning(port:0, extra:vuln_report);
}
else security_warning(0);
VendorProductVersionCPE
mcafeelinuxshield1.5.1cpe:/a:mcafee:linuxshield:1.5.1

Related

cve 1
cvelist 1
prion 1
cve
cve
CVE-2009-5116
2012-08-22 10:42:00
cvelist
cvelist
CVE-2009-5116
2022-10-03 16:24:01
prion
prion
Authentication flaw
2012-08-22 10:42:00

7.1 High

AI Score

Confidence

Low

JSON
Related for MCAFEE_LINUXSHIELD_SB10007.NASL
cve1cvelist1prion1