ID OPENSUSE-2019-2233.NASL Type nessus Reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-03-02T00:00:00
Description
This update for u-boot fixes the following issues :
Security issues fixed :
CVE-2019-13106: Fixed stack-based buffer overflow via a
crafted ext4 filesystem that may lead to code execution
(bsc#1144656).
CVE-2019-13104: Fixed an underflow that could cause
memcpy() to overwrite a very large amount of data via a
crafted ext4 filesystem (bsc#1144675).
This update was imported from the SUSE:SLE-15-SP1:Update update
project.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2019-2233.
#
# The text description of this plugin is (C) SUSE LLC.
#
include("compat.inc");
if (description)
{
script_id(129523);
script_version("1.2");
script_cvs_date("Date: 2019/12/23");
script_cve_id("CVE-2019-13104", "CVE-2019-13106");
script_name(english:"openSUSE Security Update : u-boot (openSUSE-2019-2233)");
script_summary(english:"Check for the openSUSE-2019-2233 patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote openSUSE host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"This update for u-boot fixes the following issues :
Security issues fixed :
- CVE-2019-13106: Fixed stack-based buffer overflow via a
crafted ext4 filesystem that may lead to code execution
(bsc#1144656).
- CVE-2019-13104: Fixed an underflow that could cause
memcpy() to overwrite a very large amount of data via a
crafted ext4 filesystem (bsc#1144675).
This update was imported from the SUSE:SLE-15-SP1:Update update
project."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1144656"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1144675"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected u-boot packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:u-boot-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:u-boot-tools-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/06");
script_set_attribute(attribute:"patch_publication_date", value:"2019/10/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/02");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE15.1", reference:"u-boot-tools-2019.01-lp151.6.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"u-boot-tools-debuginfo-2019.01-lp151.6.3.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "u-boot-tools / u-boot-tools-debuginfo");
}
{"id": "OPENSUSE-2019-2233.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : u-boot (openSUSE-2019-2233)", "description": "This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-13106: Fixed stack-based buffer overflow via a\n crafted ext4 filesystem that may lead to code execution\n (bsc#1144656).\n\n - CVE-2019-13104: Fixed an underflow that could cause\n memcpy() to overwrite a very large amount of data via a\n crafted ext4 filesystem (bsc#1144675).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.", "published": "2019-10-02T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}, "href": "https://www.tenable.com/plugins/nessus/129523", "reporter": "This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1144675", "https://bugzilla.opensuse.org/show_bug.cgi?id=1144656"], "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "type": "nessus", "lastseen": "2021-03-01T04:45:02", "edition": 19, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-13106", "CVE-2019-13104"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852725", "OPENVAS:1361412562310852827"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2235-1", "OPENSUSE-SU-2019:2233-1"]}, {"type": "nessus", "idList": ["SUSE_SU-2019-2475-1.NASL", "SUSE_SU-2019-2474-1.NASL", "OPENSUSE-2019-2235.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:D0762E9D61E59AD261E8F24340AE261C"]}], "modified": "2021-03-01T04:45:02", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-03-01T04:45:02", "rev": 2}, "vulnersScore": 6.6}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2233.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129523);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-13104\", \"CVE-2019-13106\");\n\n script_name(english:\"openSUSE Security Update : u-boot (openSUSE-2019-2233)\");\n script_summary(english:\"Check for the openSUSE-2019-2233 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-13106: Fixed stack-based buffer overflow via a\n crafted ext4 filesystem that may lead to code execution\n (bsc#1144656).\n\n - CVE-2019-13104: Fixed an underflow that could cause\n memcpy() to overwrite a very large amount of data via a\n crafted ext4 filesystem (bsc#1144675).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1144656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1144675\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected u-boot packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:u-boot-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:u-boot-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"u-boot-tools-2019.01-lp151.6.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"u-boot-tools-debuginfo-2019.01-lp151.6.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"u-boot-tools / u-boot-tools-debuginfo\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "129523", "cpe": ["cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:u-boot-tools", "p-cpe:/a:novell:opensuse:u-boot-tools-debuginfo"], "scheme": null, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}
{"cve": [{"lastseen": "2021-02-02T07:12:50", "description": "Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution.", "edition": 9, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-06T20:15:00", "title": "CVE-2019-13106", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13106"], "modified": "2019-10-01T18:15:00", "cpe": ["cpe:/a:denx:u-boot:2019.07", "cpe:/a:denx:u-boot:2019.04"], "id": "CVE-2019-13106", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13106", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}, "cpe23": ["cpe:2.3:a:denx:u-boot:2019.07:-:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc1:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc3:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc4:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.04:*:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc2:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:50", "description": "In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem.", "edition": 9, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-06T19:15:00", "title": "CVE-2019-13104", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13104"], "modified": "2019-10-01T18:15:00", "cpe": ["cpe:/a:denx:u-boot:2019.07", "cpe:/a:denx:u-boot:2019.04"], "id": "CVE-2019-13104", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13104", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:denx:u-boot:2019.07:-:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc1:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc3:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc4:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.04:*:*:*:*:*:*:*", "cpe:2.3:a:denx:u-boot:2019.07:rc2:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-01-31T16:30:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310852827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852827", "type": "openvas", "title": "openSUSE: Security Advisory for u-boot (openSUSE-SU-2019:2233-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852827\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-13104\", \"CVE-2019-13106\");\n script_tag(name:\"cvss_base\", value:\"8.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 09:33:40 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"openSUSE: Security Advisory for u-boot (openSUSE-SU-2019:2233-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2233-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00002.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'u-boot'\n package(s) announced via the openSUSE-SU-2019:2233-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for u-boot fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-13106: Fixed stack buffer overflow via a crafted ext4\n filesystem that may lead to code execution (bsc#1144656).\n\n - CVE-2019-13104: Fixed an underflow that could cause memcpy() to\n overwrite a very large amount of data via a crafted ext4 filesystem\n (bsc#1144675).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2233=1\");\n\n script_tag(name:\"affected\", value:\"'u-boot' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"u-boot-tools\", rpm:\"u-boot-tools~2019.01~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"u-boot-tools-debuginfo\", rpm:\"u-boot-tools-debuginfo~2019.01~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2020-01-31T16:47:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-10-02T00:00:00", "id": "OPENVAS:1361412562310852725", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852725", "type": "openvas", "title": "openSUSE: Security Advisory for u-boot (openSUSE-SU-2019:2235-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852725\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-13104\", \"CVE-2019-13106\");\n script_tag(name:\"cvss_base\", value:\"8.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-02 02:00:57 +0000 (Wed, 02 Oct 2019)\");\n script_name(\"openSUSE: Security Advisory for u-boot (openSUSE-SU-2019:2235-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2235-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00004.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'u-boot'\n package(s) announced via the openSUSE-SU-2019:2235-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for u-boot fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-13106: Fixed stack buffer overflow via a crafted ext4\n filesystem that may lead to code execution (bsc#1144656).\n\n - CVE-2019-13104: Fixed an underflow that could cause memcpy() to\n overwrite a very large amount of data via a crafted ext4 filesystem\n (bsc#1144675).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2235=1\");\n\n script_tag(name:\"affected\", value:\"'u-boot' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"u-boot-tools\", rpm:\"u-boot-tools~2018.03~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"u-boot-tools-debuginfo\", rpm:\"u-boot-tools-debuginfo~2018.03~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "suse": [{"lastseen": "2019-10-01T22:27:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "description": "This update for u-boot fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-13106: Fixed stack buffer overflow via a crafted ext4\n filesystem that may lead to code execution (bsc#1144656).\n - CVE-2019-13104: Fixed an underflow that could cause memcpy() to\n overwrite a very large amount of data via a crafted ext4 filesystem\n (bsc#1144675).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-10-01T21:12:29", "published": "2019-10-01T21:12:29", "id": "OPENSUSE-SU-2019:2235-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00004.html", "title": "Security update for u-boot (moderate)", "type": "suse", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2019-10-01T20:27:14", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "description": "This update for u-boot fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-13106: Fixed stack buffer overflow via a crafted ext4\n filesystem that may lead to code execution (bsc#1144656).\n - CVE-2019-13104: Fixed an underflow that could cause memcpy() to\n overwrite a very large amount of data via a crafted ext4 filesystem\n (bsc#1144675).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n", "edition": 1, "modified": "2019-10-01T18:21:56", "published": "2019-10-01T18:21:56", "id": "OPENSUSE-SU-2019:2233-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00002.html", "title": "Security update for u-boot (moderate)", "type": "suse", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "nessus": [{"lastseen": "2021-01-20T12:48:41", "description": "This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-13106: Fixed stack-based buffer overflow via a\n crafted ext4 filesystem that may lead to code execution\n (bsc#1144656).\n\n - CVE-2019-13104: Fixed an underflow that could cause\n memcpy() to overwrite a very large amount of data via a\n crafted ext4 filesystem (bsc#1144675).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 15, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-10-02T00:00:00", "title": "openSUSE Security Update : u-boot (openSUSE-2019-2235)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "modified": "2019-10-02T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:u-boot-tools", "p-cpe:/a:novell:opensuse:u-boot-tools-debuginfo"], "id": "OPENSUSE-2019-2235.NASL", "href": "https://www.tenable.com/plugins/nessus/129525", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2235.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129525);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2019-13104\", \"CVE-2019-13106\");\n\n script_name(english:\"openSUSE Security Update : u-boot (openSUSE-2019-2235)\");\n script_summary(english:\"Check for the openSUSE-2019-2235 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-13106: Fixed stack-based buffer overflow via a\n crafted ext4 filesystem that may lead to code execution\n (bsc#1144656).\n\n - CVE-2019-13104: Fixed an underflow that could cause\n memcpy() to overwrite a very large amount of data via a\n crafted ext4 filesystem (bsc#1144675).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1144656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1144675\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected u-boot packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:u-boot-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:u-boot-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"u-boot-tools-2018.03-lp150.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"u-boot-tools-debuginfo-2018.03-lp150.4.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"u-boot-tools / u-boot-tools-debuginfo\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-03-01T07:03:15", "description": "This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-13106: Fixed stack-based buffer overflow via a crafted ext4\nfilesystem that may lead to code execution (bsc#1144656).\n\nCVE-2019-13104: Fixed an underflow that could cause memcpy() to\noverwrite a very large amount of data via a crafted ext4 filesystem\n(bsc#1144675).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-09-27T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : u-boot (SUSE-SU-2019:2474-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:u-boot-tools", "p-cpe:/a:novell:suse_linux:u-boot-tools-debuginfo"], "id": "SUSE_SU-2019-2474-1.NASL", "href": "https://www.tenable.com/plugins/nessus/129402", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2474-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129402);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-13104\", \"CVE-2019-13106\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : u-boot (SUSE-SU-2019:2474-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-13106: Fixed stack-based buffer overflow via a crafted ext4\nfilesystem that may lead to code execution (bsc#1144656).\n\nCVE-2019-13104: Fixed an underflow that could cause memcpy() to\noverwrite a very large amount of data via a crafted ext4 filesystem\n(bsc#1144675).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1144656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1144675\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-13104/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-13106/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192474-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6a11959e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2019-2474=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:u-boot-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:u-boot-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"u-boot-tools-2018.03-4.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"u-boot-tools-debuginfo-2018.03-4.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"u-boot-tools-2018.03-4.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"u-boot-tools-debuginfo-2018.03-4.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"u-boot\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-03-01T07:03:15", "description": "This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-13106: Fixed stack-based buffer overflow via a crafted ext4\nfilesystem that may lead to code execution (bsc#1144656).\n\nCVE-2019-13104: Fixed an underflow that could cause memcpy() to\noverwrite a very large amount of data via a crafted ext4 filesystem\n(bsc#1144675).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-09-27T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : u-boot (SUSE-SU-2019:2475-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13104", "CVE-2019-13106"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:u-boot-tools", "p-cpe:/a:novell:suse_linux:u-boot-tools-debuginfo"], "id": "SUSE_SU-2019-2475-1.NASL", "href": "https://www.tenable.com/plugins/nessus/129403", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2475-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129403);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-13104\", \"CVE-2019-13106\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : u-boot (SUSE-SU-2019:2475-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for u-boot fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-13106: Fixed stack-based buffer overflow via a crafted ext4\nfilesystem that may lead to code execution (bsc#1144656).\n\nCVE-2019-13104: Fixed an underflow that could cause memcpy() to\noverwrite a very large amount of data via a crafted ext4 filesystem\n(bsc#1144675).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1144656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1144675\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-13104/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-13106/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192475-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b22dd135\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2475=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2019-2475=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:u-boot-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:u-boot-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"u-boot-tools-2019.01-7.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"u-boot-tools-debuginfo-2019.01-7.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"u-boot-tools-2019.01-7.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"u-boot-tools-debuginfo-2019.01-7.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"u-boot\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "threatpost": [{"lastseen": "2020-10-15T22:29:26", "bulletinFamily": "info", "cvelist": ["CVE-2019-13103", "CVE-2019-13104", "CVE-2019-13105", "CVE-2019-13106", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "description": "Multiple vulnerabilities have been found in [Das U-Boot](<https://www.denx.de/wiki/U-Boot>), a universal bootloader commonly used in embedded devices like Amazon Kindles, ARM Chromebooks and networking hardware. The bugs could allow attackers to gain full control of an impacted device\u2019s CPU and modify anything they choose.\n\nResearchers at ForAllSecure found the flaws in U-Boot\u2019s file system drivers. They include a recursive stack overflow in the DOS partition parser, a pair of buffer-overflows in ext4 and a double-free memory corruption flaw in ext4. They open the door to denial-of-service attacks, device takeover and code-execution.\n\nThere are both local and remote paths to exploitation for these flaws. If a vulnerable device is configured to boot from external media, such as an SD card or USB drive, attackers with physical access could subvert the normal boot process of the device and control the loading of the operating system, giving them substantial control over the device.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIf the device is configured to network boot, remote attackers could use an initial method to compromise the corporate or Wi-Fi network that a target device is attached to (including social-engineering malware onto a victim\u2019s endpoint or exploiting known vulnerabilities), and from there attacking the U-Boot device from that local network location.\n\n\u201cThe most obvious route for exploitation requires physical access, and could either cause denial of service (possible device bricking) or could subvert the boot process for a device or possibly bypass trusted boot,\u201d Maxwell Koo, ForAllSecure analysis engineer, told Threatpost in an interview. \u201cIf device is configured to allow pxe boot and is configured with CONFIG_CMD_FS_GENERIC, there is a possible network avenue of exploitation via CVE-2019-13104 through -13106, with the same impact.\u201d\n\nHe added, \u201cI\u2019d say it would take moderate-to-high expertise to develop an initial exploit for a given device.\u201d\n\n## Technical Details\n\nCVE-2019-13103 is a stack overflow that affects all versions of U-Boot in the archives, which occurs when reading a DOS partition table, which refers to itself. This causes the \u201cpart_get_info_extended\u201d function to call itself repeatedly with the same arguments, causing unbounded stack growth.\n\n\u201cOn QEMU\u2019s vexpress-a15 board, the CPU returns to 0 but continues executing NOPs until it hits data and executes it,\u201d according to the [GitHub write-up](<https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75>) from the ForAllSecure interns who discovered the flaws, Paul Emge and Zion Basque.\n\nIn a technical analysis shared with Threatpost, the researchers explained that in testing, an emulated [ARM CPU](<https://threatpost.com/google-arm-android-bugs-memory-tagging/146950/>) \u201cis happy to execute a bunch of NOPs from this memory location, until, after many megabytes, it reaches some data and returns to 0 again.\u201d This would lead to DoS, but depending on the exact system and software installed, something worse could happen.\n\n\u201cFor example, other data in this part of the address space could get executed and lead to other anomalous behaviors, including the ability to run attacker provided code,\u201d they wrote.\n\nAs for the buffer-overflow flaws, CVE-2019-13104 affects U-Boot versions 2016.11-rc1 through 2019.07-rc4. At ext4fs.c:74 it is possible for len to underflow while listing files in a crafted filesystem.\n\n\u201cIf this happens, eventually there is a memcpy with a negative (so effectively infinite) length,\u201d the research pair wrote. \u201cThis causes all of memory to be overwritten until [in sandbox testing], it segfaults\u2026There\u2019s definitely memory corruption.\u201d\n\nThe second, more serious buffer-overflow issue is CVE-2019-13106, affecting U-Boot versions 2016.09 through 2019.07-rc4.. The ext4 code can overwrite portions of the stack with 0s in the ext4fs_read_file function, while listing files in an untrusted filesystem. Researchers said that the bug could \u201ceasily give complete control of the CPU,\u201d which would defeat verified boot.\n\n\u201cThe bug occurs when a filename (or potentially some other structure) is located across a block boundary,\u201d explained the researchers in the GitHub post. \u201cThe number of 0s written to the stack is controllable by changing the position of the filename.\u201d\n\nAnd in CVE-2019-13105, which affects U-Boot versions 2019.07-rc1 through 2019.07-rc4, if there is an invalid/out-of bounds block number, ext_cache_read doesn\u2019t set the freed cache->buf to 0, which results in a double-free issue in ext_cache_ini. A double-free vulnerability occurs when, as the name says, a variable is free()\u2019d twice. The variable is still usable, but the memory pointed to that variable can be free.\n\nForAllSecure also found five low-severity divide-by-zero bugs, triggered by invalid extended file systems.\n\nU-Boot patched the bugs as of its v. 2019.10 release \u2013 but devices are likely still vulnerable given that the update process is controlled by the vendor of the device rather than U-Boot itself.\n\n\u201cAs a bootloader, which is often used in embedded devices with a long/non-existent update cycle, the unpatched code is likely present and will remain present on many devices for some time,\u201d Koo told Threatpost. \u201cSeverity depends somewhat on configuration of the device in question (U-Boot is pretty configurable and this will differ a lot between devices).\u201d\n\nAmazon did not immediately respond to a request for comment.\n\nIf support for DOS partitions or ext4 filesystem images is not present in the U-Boot configuration of a device, then the bugs have impact.\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "modified": "2019-11-07T17:31:06", "published": "2019-11-07T17:31:06", "id": "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "href": "https://threatpost.com/amazon-kindle-embedded-devices-code-execution/150003/", "type": "threatpost", "title": "Amazon Kindle, Embedded Devices Open to Code-Execution", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}]}
