Oracle Linux 8 : libssh (ELSA-2024-3233)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2024-3233.
##

include('compat.inc');

if (description)
{
  script_id(198033);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/28");

  script_cve_id("CVE-2023-6004", "CVE-2023-6918");
  script_xref(name:"IAVA", value:"2023-A-0703");

  script_name(english:"Oracle Linux 8 : libssh (ELSA-2024-3233)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2024-3233 advisory.

    [0.9.6-14]
    - Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
    - Fix CVE-2023-6918 Missing checks for return values for digests
    - Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
      of malicious code through hostname
    - Note: version is bumped from 12 to 14 directly, as the z-stream
      version in 8.9 also has 13. So bumping it to 14, will prevent
      upgrade conflicts.
    - Resolves:RHEL-19690, RHEL-17244, RHEL-19312

    [0.9.6-12]
    - Fix loglevel regression
    - Related: rhbz#2182251, rhbz#2189742

    [0.9.6-11]
    - .fmf/version is needed to run the tests
    - Related: rhbz#2182251, rhbz#2189742

    [0.9.6-10]
    - Add missing ci.fmf file
    - Related: rhbz#2182251, rhbz#2189742

    [0.9.6-9]
    - Fix covscan errors found at gating
    - Related: rhbz#2182251, rhbz#2189742

    [0.9.6-8]
    - Backport test fixing commits to make the build pass
    - Related: rhbz#2182251, rhbz#2189742

    [0.9.6-7]
    - Fix NULL dereference during rekeying with algorithm guessing
      GHSL-2023-032 / CVE-2023-1667
    - Fix possible authentication bypass
      GHSL 2023-085 / CVE-2023-2283
    - Resolves: rhbz#2182251, rhbz#2189742

    [0.9.6-6]
    - Enable client and server testing build time
    - Fix failing rekey test on arch s390x
    - Resolves: rhbz#2126342

    [0.9.6-5]
    - Fix CI configuration for new TMT
    - Resolves: rhbz#2149910

    [0.9.6-4]
    - Make VERBOSE and lower log levels less verbose
    - Resolves: rhbz#2091512

    [0.9.6-3]
    - Remove STI tests

    [0.9.6-2]
    - Remove bad patch causing errors
    - Adding BuildRequires for openssh (SSHD support)

    [0.9.6-1]
    - Fix CVE-2021-3634: Fix possible heap-buffer overflow when
      rekeying with different key exchange mechanism
    - Rebase to version 0.9.6
    - Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
    - Resolves: rhbz#1896651, rhbz#1994600

    [0.9.4-4]
    - Revert previous commit as it is incorrect.

    [0.9.6-1]
    - Fix CVE-2021-3634: Fix possible heap-buffer overflow when
      rekeying with different key exchange mechanism (#1978810)

    [0.9.4-3]
    - Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
      ssh_buffer_new returns NULL (#1862646)

    [0.9.4-2]
    - Do not return error when server properly closed the channel (#1849071)
    - Add a test for CVE-2019-14889
    - Do not parse configuration file in torture_knownhosts test

    [0.9.4-1]
    - Update to version 0.9.4
      https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
    - Fixed CVE-2019-14889 (#1781782)
    - Fixed CVE-2020-1730 (#1802422)
    - Create missing directories in the path provided for known_hosts files (#1733914)
    - Removed inclusion of OpenSSH server configuration file from
      libssh_server.config (#1821339)

    [0.9.0-4]
    - Skip 1024 bits RSA key generation test in FIPS mode (#1734485)

    [0.9.0-3]
    - Add Obsoletes in libssh-config to avoid conflict with old libssh which
      installed the configuration files.

    [0.9.0-2]
    - Eliminate circular dependency with libssh-config subpackage

    [0.9.0-1]
    - Update to version 0.9.0
      https://www.libssh.org/2019/06/28/libssh-0-9-0/
    - Added explicit Requires for crypto-policies
    - Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
    - Provide the configuration files in a separate libssh-config subpackage

    [0.8.91-0.1]
    - Update to 0.9.0 pre release version (0.8.91)
    - Added default configuration files for client and server
    - Removed unused patch files left behind
    - Fixed issues found to run upstream test suite with SELinux

    [0.8.5-2]
    - Fix more regressions introduced by the fixes for CVE-2018-10933

    [0.8.5-1]
    - Update to version 0.8.5
      * Fixed an issue where global known_hosts file was ignored (#1649321)
      * Fixed ssh_get_fd() to return writable file descriptor (#1649319)
      * Fixed regression introduced in known_hosts parsing (#1649315)
      * Fixed a regression which caused only the first algorithm in known_hosts to
        be considered (#1638790)

    [0.8.3-5]
    - Fix regressions introduced by the fixes for CVE-2018-10933

    [0.8.3-4]
    - Fix for authentication bypass issue in server implementation (#1639926)

    [0.8.3-3]
    - Fixed errors found by static code analysis (#1602594)

    [0.8.3-1]
    - Update to version 0.8.3
      * Added support for rsa-sha2 (#1610882)
      * Added support to parse private keys in openssh container format (other than
        ed25519) (#1622983)
      * Added support for diffie-hellman-group18-sha512 and
        diffie-hellman-group16-sha512 (#1610885)
      * Added ssh_get_fingerprint_hash()
      * Added ssh_pki_export_privkey_base64()
      * Added support for Match keyword in config file
      * Improved performance and reduced memory footprint for sftp
      * Fixed ecdsa publickey auth
      * Fixed reading a closed channel
      * Added support to announce [email protected] and [email protected]
        in the sftp server
      * Use -fstack-protector-strong if possible (#1624135)

    [0.8.1-4]
    - Fix the creation of symbolic links for libssh_threads.so.4

    [0.8.1-3]
    - Add missing Provides for libssh_threads.so.4

    [0.8.1-2]
    - Add Provides for libssh_threads.so to unbreak applications
    - Fix ABIMap detection to not depend on python to build

    [0.8.1-1]
    - Update to version 0.8.1
      https://www.libssh.org/2018/08/13/libssh-0-8-1/

    [0.8.0-1]
    - Update to version 0.8.0
      https://www.libssh.org/2018/08/10/libssh-0-8-0/

    [0.7.5-9]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

    [0.7.5-8]
    - BR: gcc-c++, use %make_build

    [0.7.5-7]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
    - Related: bug#1614611

    [0.7.5-6]
    - resolves: #1540021 - Build against OpenSSL 1.1

    [0.7.5-5]
    - Switch to %ldconfig_scriptlets

    [0.7.5-4]
    - Fix parsing ssh_config

    [0.7.5-3]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

    [0.7.5-2]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

    [0.7.5-1]
    - Update to version 0.7.5

    [0.7.4-2]
    - BR: compat-openssl10-devel (f26+, #1423088)
    - use %license
    - -devel: drop hardcoded pkgconfig dep (let autodeps handle it)
    - %files: track library sonames, simplify -devel
    - %install: use 'install/fast' target
    - .spec cosmetics, drop deprecated %clean section

    [0.7.4-1]
    - Update to version 0.7.4
      * Added id_ed25519 to the default identity list
      * Fixed sftp EOF packet handling
      * Fixed ssh_send_banner() to confirm with RFC 4253
      * Fixed some memory leaks
    - resolves: #1419007

    [0.7.3-1]
    - resolves: #1311259 - Fix CVE-2016-0739
    - resolves: #1311332 - Update to version 0.7.3
      * Fixed CVE-2016-0739
      * Fixed ssh-agent on big endian
      * Fixed some documentation issues
    - Enabled GSSAPI support

    [0.7.2-3]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

    [0.7.2-2]
    - resolves: #1271230 - Fix ssh-agent support on big endian

    [0.7.2-1]
    - Update to version 0.7.2
      * Fixed OpenSSL detection on Windows
      * Fixed return status for ssh_userauth_agent()
      * Fixed KEX to prefer hmac-sha2-256
      * Fixed sftp packet handling
      * Fixed return values of ssh_key_is_(public|private)
      * Fixed bug in global success reply
    - resolves: #1267346

    [0.7.1-1]
    - Update to version 0.7.1
      * Fixed SSH_AUTH_PARTIAL auth with auto public key
      * Fixed memory leak in session options
      * Fixed allocation of ed25519 public keys
      * Fixed channel exit-status and exit-signal
      * Reintroduce ssh_forward_listen()

    [0.7.0-3]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

    [0.7.0-2]
    - Add patch to fix undefined symbol: ssh_forward_listen (bug #1221310)

    [0.7.0-1]
    - Update to version 0.7.0
      * Added support for ed25519 keys
      * Added SHA2 algorithms for HMAC
      * Added improved and more secure buffer handling code
      * Added callback for auth_none_function
      * Added support for ECDSA private key signing
      * Added more tests
      * Fixed a lot of bugs
      * Improved API documentation

    [0.6.5-1]
    - resolves: #1213775 - Security fix for CVE-2015-3146
    - resolves: #1218076 - Security fix for CVE-2015-3146

    [0.6.4-1]
    - Security fix for CVE-2014-8132.

    [0.6.3-3]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

    [0.6.3-2]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

    [0.6.3-1]
    - Fix CVE-2014-0017.

    [0.6.1-1]
    - Update to version 0.6.1.
    - resolves: #1056757 - Fix scp mode.
    - resolves: #1053305 - Fix known_hosts heuristic.

    [0.6.0-1]
    - Update to 0.6.0

    [0.5.5-1]
    - Update to 0.5.5.
    - Clenup the spec file.

    [0.5.4-5]
    - Add EPEL 5 support.
    - Add Debian patches to enable Doxygen documentation.

    [0.5.4-4]
    - Add patch for #982685.

    [0.5.4-3]
    - Clean up SPEC file and fix rpmlint complaints.

    [0.5.4-2]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

    [0.5.4-1]
    - update to security 0.5.4 release
    - CVE-2013-0176 (#894407)

    [0.5.3-1]
    - update to security 0.5.3 release (#878465)

    [0.5.2-2]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

    [0.5.2-1]
    - update to 0.5.2 version (#730270)

    [0.5.0-2]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

    [0.5.0-1]
    - bounce versionn to 0.5.0 (#709785)
    - the support for protocol v1 is disabled

    [0.4.8-2]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

    [0.4.8-1]
    - bounce versionn to 0.4.8 (#670456)

    [0.4.6-1]
    - bounce versionn to 0.4.6 (#630602)

    [0.4.4-1]
    - bounce versionn to 0.4.4 (#598592)

    [0.4.3-1]
    - bounce versionn to 0.4.3 (#593288)

    [0.4.2-1]
    - bounce versionn to 0.4.2 (#573972)

    [0.4.1-1]
    - bounce versionn to 0.4.1 (#565870)

    [0.4.0-1]
    - bounce versionn to 0.4.0 (#541010)

    [0.3.92-2]
    - typo in spec file

    [0.3.92-1]
    - bounce versionn to 0.3.92 (0.4 beta2) (#541010)

    [0.2-4]
    - rebuilt with new openssl

    [0.2-3]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

    [0.2-2]
    - Small changes during review

    [0.2-1]
    - Initial build

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2024-3233.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected libssh, libssh-config and / or libssh-devel packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-6004");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/05/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:8:10:appstream_base");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:8::appstream");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8:10:baseos_base");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8::baseos_latest");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh-config");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh-devel");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);

var pkgs = [
    {'reference':'libssh-0.9.6-14.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libssh-config-0.9.6-14.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libssh-devel-0.9.6-14.el8', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libssh-0.9.6-14.el8', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libssh-devel-0.9.6-14.el8', 'cpu':'i686', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libssh-0.9.6-14.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libssh-config-0.9.6-14.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libssh-devel-0.9.6-14.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libssh / libssh-config / libssh-devel');
}