MiracleLinux 4 : xinetd-2.3.14-39.AXS4 (AXSA:2014-006:01)

🗓️ 16 Jan 2026 00:00:00Reported by TenableType

MiracleLinux 4 xinetd package vulnerable to CVE-2013-4342 allowing root privileges via TCPMUX services.

Reporter	Title	Published	Views	Family All 58
FreeBSD	xinetd -- ignores user and group directives for TCPMUX services	23 Aug 200500:00	–	freebsd
Amazon	Medium: xinetd	16 Oct 201300:00	–	amazon
Tenable Nessus	Amazon Linux AMI : xinetd (ALAS-2013-232)	24 Oct 201300:00	–	nessus
Tenable Nessus	CentOS 5 / 6 : xinetd (CESA-2013:1409)	9 Oct 201300:00	–	nessus
Tenable Nessus	Fedora 20 : xinetd-2.3.15-8.fc20 (2013-18241)	13 Oct 201300:00	–	nessus
Tenable Nessus	Fedora 19 : xinetd-2.3.15-8.fc19 (2013-18243)	13 Oct 201300:00	–	nessus
Tenable Nessus	FreeBSD : xinetd -- ignores user and group directives for TCPMUX services (5c34664f-2c2b-11e3-87c2-00215af774f0)	4 Oct 201300:00	–	nessus
Tenable Nessus	GLSA-201611-06 : xinetd: Privilege escalation	15 Nov 201600:00	–	nessus
Tenable Nessus	Mandriva Linux Security Advisory : xinetd (MDVSA-2013:248)	11 Oct 201300:00	–	nessus
Tenable Nessus	CBL Mariner 2.0 Security Update: xinetd (CVE-2013-4342)	3 Jul 202400:00	–	nessus

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/4417
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2014-006:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(288914);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/16");

  script_cve_id("CVE-2013-4342");

  script_name(english:"MiracleLinux 4 : xinetd-2.3.14-39.AXS4 (AXSA:2014-006:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the
AXSA:2014-006:01 advisory.

    Xinetd is a secure replacement for inetd, the Internet services daemon. Xinetd provides access control for
    all services based on the address of the remote host and/or on time of access and can prevent denial-of-
    access attacks. Xinetd provides extensive logging, has no limit on the number of server arguments, and
    lets you bind specific services to specific IP addresses on your host machine. Each service has its own
    specific configuration file for Xinetd; the files are located in the /etc/xinetd.d directory.
    Security issues fixed with this release:
     CVE-2013-4342
    xinetd does not enforce the user and group configuration directives for TCPMUX services, which causes
    these services to be run as root and makes it easier for remote attackers to gain privileges by leveraging
    another vulnerability in a service.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/4417");
  script_set_attribute(attribute:"solution", value:
"Update the affected xinetd package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4342");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/03/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:xinetd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 4.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'xinetd-2.3.14-39.AXS4', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'xinetd-2.3.14-39.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xinetd');
}

16 Jan 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 27.6

EPSS0.15271