This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.NEWSTART_CGSL_NS-SA-2019-0187_PYTHON.NASLNewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0187)
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
8.4 High
AI Score
Confidence
High
0.018 Low
EPSS
Percentile
88.4%
The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python packages installed that are affected by multiple vulnerabilities:
-
Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable. (CVE-2018-14647)
-
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
(CVE-2019-9947) -
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(‘local_file:///etc/passwd’) call.
(CVE-2019-9948) -
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. (CVE-2019-9740)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0187. The text
# itself is copyright (C) ZTE, Inc.
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(129884);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/18");
script_cve_id(
"CVE-2018-14647",
"CVE-2019-5010",
"CVE-2019-9740",
"CVE-2019-9947",
"CVE-2019-9948"
);
script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0187)");
script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python packages installed that are affected by
multiple vulnerabilities:
- Python's elementtree C accelerator failed to initialise
Expat's hash salt during initialization. This could make
it easy to conduct denial of service attacks against
Expat by constructing an XML document that would cause
pathological hash collisions in Expat's internal data
structures, consuming large amounts CPU and RAM. Python
3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be
vulnerable. (CVE-2018-14647)
- An issue was discovered in urllib2 in Python 2.x through
2.7.16 and urllib in Python 3.x through 3.7.3. CRLF
injection is possible if the attacker controls a url
parameter, as demonstrated by the first argument to
urllib.request.urlopen with
(specifically in the
path component of a URL that lacks a ? character)
followed by an HTTP header or a Redis command. This is
similar to the CVE-2019-9740 query string issue.
(CVE-2019-9947)
- urllib in Python 2.x through 2.7.16 supports the
local_file: scheme, which makes it easier for remote
attackers to bypass protection mechanisms that blacklist
file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.
(CVE-2019-9948)
- An issue was discovered in urllib2 in Python 2.x through
2.7.16 and urllib in Python 3.x through 3.7.3. CRLF
injection is possible if the attacker controls a url
parameter, as demonstrated by the first argument to
urllib.request.urlopen with
(specifically in the
query string after a ? character) followed by an HTTP
header or a Redis command. (CVE-2019-9740)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0187");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL python packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9948");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/25");
script_set_attribute(attribute:"patch_publication_date", value:"2019/10/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
if (release !~ "CGSL CORE 5.04" &&
release !~ "CGSL MAIN 5.04")
audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
flag = 0;
pkgs = {
"CGSL CORE 5.04": [
"python-2.7.5-86.el7.cgslv5.0.1.g0527923.lite",
"python-debug-2.7.5-86.el7.cgslv5.0.1.g0527923.lite",
"python-debuginfo-2.7.5-86.el7.cgslv5.0.1.g0527923.lite",
"python-devel-2.7.5-86.el7.cgslv5.0.1.g0527923.lite",
"python-libs-2.7.5-86.el7.cgslv5.0.1.g0527923.lite",
"python-test-2.7.5-86.el7.cgslv5.0.1.g0527923.lite",
"python-tools-2.7.5-86.el7.cgslv5.0.1.g0527923.lite",
"tkinter-2.7.5-86.el7.cgslv5.0.1.g0527923.lite"
],
"CGSL MAIN 5.04": [
"python-2.7.5-86.el7.cgslv5.0.1.g0527923",
"python-debug-2.7.5-86.el7.cgslv5.0.1.g0527923",
"python-debuginfo-2.7.5-86.el7.cgslv5.0.1.g0527923",
"python-devel-2.7.5-86.el7.cgslv5.0.1.g0527923",
"python-libs-2.7.5-86.el7.cgslv5.0.1.g0527923",
"python-test-2.7.5-86.el7.cgslv5.0.1.g0527923",
"python-tools-2.7.5-86.el7.cgslv5.0.1.g0527923",
"tkinter-2.7.5-86.el7.cgslv5.0.1.g0527923"
]
};
pkg_list = pkgs[release];
foreach (pkg in pkg_list)
if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python");
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948
security.gd-linux.com/notice/NS-SA-2019-0187
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
8.4 High
AI Score
Confidence
High
0.018 Low
EPSS
Percentile
88.4%