MiracleLinux 7 : ruby-2.0.0.648-33.0.1.el7.AXS7 (AXSA:2018-2583:01)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2018-2583:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(289384);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/16");

  script_cve_id(
    "CVE-2017-0898",
    "CVE-2017-0899",
    "CVE-2017-0900",
    "CVE-2017-0901",
    "CVE-2017-0902",
    "CVE-2017-0903",
    "CVE-2017-10784",
    "CVE-2017-14033",
    "CVE-2017-14064",
    "CVE-2017-17405",
    "CVE-2017-17790"
  );

  script_name(english:"MiracleLinux 7 : ruby-2.0.0.648-33.0.1.el7.AXS7 (AXSA:2018-2583:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2018-2583:01 advisory.

    * It was discovered that the Net::FTP module did not properly process filenames in combination with
    certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up
    a malicious FTP server and tricking a user or Ruby application into downloading files with specially
    crafted names using the Net::FTP module. (CVE-2017-17405)
      * A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its
    format string parameter, could send a specially crafted string that would disclose heap memory or crash
    the interpreter. (CVE-2017-0898)
      * It was found that rubygems did not sanitize gem names during installation of a given gem. A specially
    crafted gem could use this flaw to install files outside of the regular directory. (CVE-2017-0901)
      * A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname
    of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to
    manipulate DNS responses could direct the gem command towards a different domain. (CVE-2017-0902)
      * A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization
    when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute
    arbitrary code in the context of the ruby interpreter. (CVE-2017-0903)
      * It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal,
    an attacker could interact with the terminal via the use of escape sequences. (CVE-2017-10784)
      * It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An
    attacker could pass a specially crafted string to the application in order to crash the ruby interpreter,
    causing a denial of service. (CVE-2017-14033)
      * A vulnerability was found where rubygems did not properly sanitize gems' specification text. A
    specially crafted gem could interact with the terminal via the use of escape sequences. (CVE-2017-0899)
      * It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem
    summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its
    summary. (CVE-2017-0900)
      * A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability
    to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's
    heap memory. (CVE-2017-14064)
      * The lazy_initialize function in lib/resolv.rb did not properly process certain filenames. A remote
    attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)
    CVE-2017-0898
    Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious
    format string which contains a precious specifier (*) with a huge
    minus value. Such situation can lead to a buffer overrun, resulting in
    a heap memory corruption or an information disclosure from the heap.
    CVE-2017-0899
    RubyGems version 2.6.12 and earlier is vulnerable to maliciously
    crafted gem specifications that include terminal escape characters.
    Printing the gem specification would execute terminal escape
    sequences.
    CVE-2017-0900
    RubyGems version 2.6.12 and earlier is vulnerable to maliciously
    crafted gem specifications to cause a denial of service attack against
    RubyGems clients who have issued a `query` command.
    CVE-2017-0901
    RubyGems version 2.6.12 and earlier fails to validate specification
    names, allowing a maliciously crafted gem to potentially overwrite any
    file on the filesystem.
    CVE-2017-0902
    RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
    vulnerability that allows a MITM attacker to force the RubyGems client
    to download and install gems from a server that the attacker controls.
    CVE-2017-0903
    RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a
    possible remote code execution vulnerability. YAML deserialization of
    gem specifications can bypass class white lists. Specially crafted
    serialized objects can possibly be used to escalate to remote code
    execution.
    CVE-2017-10784
    The Basic authentication code in WEBrick library in Ruby before 2.2.8,
    2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to
    inject terminal emulator escape sequences into its log and possibly
    execute arbitrary commands via a crafted user name.
    CVE-2017-14033
    The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8,
    2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause
    a denial of service (interpreter crash) via a crafted string.
    CVE-2017-14064
    Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can
    expose arbitrary memory during a JSON.generate call. The issues lies in
    using strdup in ext/json/ext/generator/generator.c, which will stop
    after encountering a '\0' byte, returning a pointer to a string of
    length zero, which is not the length stored in space_len.
    CVE-2017-17405
    Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get,
    getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use
    Kernel#open to open a local file. If the localfile argument starts with
    the | pipe character, the command following the pipe character is
    executed. The default value of localfile is File.basename(remotefile),
    so malicious FTP servers could cause arbitrary command execution.
    CVE-2017-17790
    The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3
    uses Kernel#open, which might allow Command Injection attacks, as
    demonstrated by a Resolv::Hosts::new argument beginning with a '|'
    character, a different vulnerability than CVE-2017-17405. NOTE:
    situations with untrusted input may be highly unlikely.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/9026");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17405");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-17790");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:ruby");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:ruby-irb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:ruby-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rubygem-bigdecimal");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rubygem-io-console");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rubygem-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rubygem-psych");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rubygem-rdoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rubygems");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'ruby-2.0.0.648-33.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'ruby-irb-2.0.0.648-33.0.1.el7.AXS7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'ruby-libs-2.0.0.648-33.0.1.el7.AXS7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'ruby-libs-2.0.0.648-33.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rubygem-bigdecimal-1.2.0-33.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rubygem-io-console-0.4.2-33.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rubygem-json-1.7.7-33.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rubygem-psych-2.0.0-33.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rubygem-rdoc-4.0.0-33.0.1.el7.AXS7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rubygems-2.0.14.1-33.0.1.el7.AXS7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ruby / ruby-irb / ruby-libs / rubygem-bigdecimal / etc');
}