RHEL 6 : rhev-hypervisor6 (RHSA-2012:0109)

2014-11-1700:00:00

www.tenable.com

CVSS2

7.4

Attack Vector

ADJACENT_NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:M/Au:S/C:C/I:C/A:C

AI Score

7.6

Confidence

Low

EPSS

0.185

Percentile

96.2%

JSON

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0109 advisory.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization     Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor     is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes     everything necessary to run and manage virtual machines: A subset of the     Red Hat Enterprise Linux operating environment and the Red Hat Enterprise     Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for     the Intel 64 and AMD64 architectures with virtualization extensions.

A heap overflow flaw was found in the way QEMU-KVM emulated the e1000     network interface card. A privileged guest user in a virtual machine whose     network interface is configured to use the e1000 emulated driver could use     this flaw to crash the host or, possibly, escalate their privileges on the     host. (CVE-2012-0029)

An information leak flaw was found in the SSL 3.0 protocol implementation     in OpenSSL. Incorrect initialization of SSL record padding bytes could     cause an SSL client or server to send a limited amount of possibly     sensitive data to its SSL peer via the encrypted connection.
(CVE-2011-4576)

A denial of service flaw was found in the RFC 3779 implementation in     OpenSSL. A remote attacker could use this flaw to make an application using     OpenSSL exit unexpectedly by providing a specially-crafted X.509     certificate that has malformed RFC 3779 extension data. (CVE-2011-4577)

It was discovered that OpenSSL did not limit the number of TLS/SSL     handshake restarts required to support Server Gated Cryptography. A remote     attacker could use this flaw to make a TLS/SSL server using OpenSSL consume     an excessive amount of CPU by continuously restarting the handshake.
(CVE-2011-4619)

Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029.

This updated package provides updated components that include fixes for     various security issues. These issues have no security impact on Red Hat     Enterprise Virtualization Hypervisor itself, however. The security fixes     included in this update address the following CVE numbers:

CVE-2009-5029 and CVE-2011-4609 (glibc issues)

CVE-2012-0056 (kernel issue)

CVE-2011-4108 and CVE-2012-0050 (openssl issues)

This update also fixes the following bugs:

* Previously, it was possible to begin a Hypervisor installation without     any valid disks to install to.

Now, if no valid disks are found for Hypervisor installation, a message is     displayed informing the user that there are no valid disks for     installation. (BZ#781471)

* Previously, the user interface for the Hypervisor did not indicate     whether the system was registered with Red Hat Network (RHN) Classic or RHN     Satellite. As a result, customers could not easily determine the     registration status of their Hypervisor installations.

The TUI has been updated to display the registration status of the     Hypervisor. (BZ#788223)

* Previously, autoinstall would fail if the firstboot or reinstall options     were passed but local_boot or upgrade were not passed. Now, neither the     local_boot or upgrade parameters are required for autoinstall. (BZ#788225)

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to     upgrade to this updated package, which fixes these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2012:0109. The text 
# itself is copyright (C) Red Hat, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(79282);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id(
    "CVE-2011-4576",
    "CVE-2011-4577",
    "CVE-2011-4619",
    "CVE-2012-0029"
  );
  script_bugtraq_id(51281, 51642);
  script_xref(name:"RHSA", value:"2012:0109");

  script_name(english:"RHEL 6 : rhev-hypervisor6 (RHSA-2012:0109)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for rhev-hypervisor6.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2012:0109 advisory.

    The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization
    Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
    is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
    everything necessary to run and manage virtual machines: A subset of the
    Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
    Virtualization Agent.

    Note: Red Hat Enterprise Virtualization Hypervisor is only available for
    the Intel 64 and AMD64 architectures with virtualization extensions.

    A heap overflow flaw was found in the way QEMU-KVM emulated the e1000
    network interface card. A privileged guest user in a virtual machine whose
    network interface is configured to use the e1000 emulated driver could use
    this flaw to crash the host or, possibly, escalate their privileges on the
    host. (CVE-2012-0029)

    An information leak flaw was found in the SSL 3.0 protocol implementation
    in OpenSSL. Incorrect initialization of SSL record padding bytes could
    cause an SSL client or server to send a limited amount of possibly
    sensitive data to its SSL peer via the encrypted connection.
    (CVE-2011-4576)

    A denial of service flaw was found in the RFC 3779 implementation in
    OpenSSL. A remote attacker could use this flaw to make an application using
    OpenSSL exit unexpectedly by providing a specially-crafted X.509
    certificate that has malformed RFC 3779 extension data. (CVE-2011-4577)

    It was discovered that OpenSSL did not limit the number of TLS/SSL
    handshake restarts required to support Server Gated Cryptography. A remote
    attacker could use this flaw to make a TLS/SSL server using OpenSSL consume
    an excessive amount of CPU by continuously restarting the handshake.
    (CVE-2011-4619)

    Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029.

    This updated package provides updated components that include fixes for
    various security issues. These issues have no security impact on Red Hat
    Enterprise Virtualization Hypervisor itself, however. The security fixes
    included in this update address the following CVE numbers:

    CVE-2009-5029 and CVE-2011-4609 (glibc issues)

    CVE-2012-0056 (kernel issue)

    CVE-2011-4108 and CVE-2012-0050 (openssl issues)

    This update also fixes the following bugs:

    * Previously, it was possible to begin a Hypervisor installation without
    any valid disks to install to.

    Now, if no valid disks are found for Hypervisor installation, a message is
    displayed informing the user that there are no valid disks for
    installation. (BZ#781471)

    * Previously, the user interface for the Hypervisor did not indicate
    whether the system was registered with Red Hat Network (RHN) Classic or RHN
    Satellite. As a result, customers could not easily determine the
    registration status of their Hypervisor installations.

    The TUI has been updated to display the registration status of the
    Hypervisor. (BZ#788223)

    * Previously, autoinstall would fail if the firstboot or reinstall options
    were passed but local_boot or upgrade were not passed. Now, neither the
    local_boot or upgrade parameters are required for autoinstall. (BZ#788225)

    Users of the Red Hat Enterprise Virtualization Hypervisor are advised to
    upgrade to this updated package, which fixes these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#important");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=771775");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=771778");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=771780");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=772075");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=781472");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=788225");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=788226");
  # http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Technical_Notes/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?547dba9a");
  # https://access.redhat.com/security/data/csaf/v2/advisories/2012/rhsa-2012_0109.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?62eb2df3");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2012:0109");
  script_set_attribute(attribute:"solution", value:
"Update the RHEL rhev-hypervisor6 package based on the guidance in RHSA-2012:0109.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-0029");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2011-4619");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(119);
  script_set_attribute(attribute:"vendor_severity", value:"Important");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/02/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("redhat_repos.nasl", "ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'repo_relative_urls': [
      'content/dist/rhel/client/6/6Client/i386/rhv-agent/4/debug',
      'content/dist/rhel/client/6/6Client/i386/rhv-agent/4/os',
      'content/dist/rhel/client/6/6Client/i386/rhv-agent/4/source/SRPMS',
      'content/dist/rhel/client/6/6Client/x86_64/rhv-agent/4/debug',
      'content/dist/rhel/client/6/6Client/x86_64/rhv-agent/4/os',
      'content/dist/rhel/client/6/6Client/x86_64/rhv-agent/4/source/SRPMS',
      'content/dist/rhel/server/6/6Server/i386/rhv-agent/4/debug',
      'content/dist/rhel/server/6/6Server/i386/rhv-agent/4/os',
      'content/dist/rhel/server/6/6Server/i386/rhv-agent/4/source/SRPMS',
      'content/dist/rhel/server/6/6Server/x86_64/rhevh/debug',
      'content/dist/rhel/server/6/6Server/x86_64/rhevh/os',
      'content/dist/rhel/server/6/6Server/x86_64/rhevh/source/SRPMS',
      'content/dist/rhel/server/6/6Server/x86_64/rhv-agent/4/debug',
      'content/dist/rhel/server/6/6Server/x86_64/rhv-agent/4/os',
      'content/dist/rhel/server/6/6Server/x86_64/rhv-agent/4/source/SRPMS',
      'content/dist/rhel/workstation/6/6Workstation/i386/rhv-agent/4/debug',
      'content/dist/rhel/workstation/6/6Workstation/i386/rhv-agent/4/os',
      'content/dist/rhel/workstation/6/6Workstation/i386/rhv-agent/4/source/SRPMS',
      'content/dist/rhel/workstation/6/6Workstation/x86_64/rhv-agent/4/debug',
      'content/dist/rhel/workstation/6/6Workstation/x86_64/rhv-agent/4/os',
      'content/dist/rhel/workstation/6/6Workstation/x86_64/rhv-agent/4/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'rhev-hypervisor6-6.2-20120209.0.el6_2', 'release':'6', 'el_string':'el6_2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'ovirt-'},
      {'reference':'rhev-hypervisor6-tools-6.2-20120209.0.el6_2', 'release':'6', 'el_string':'el6_2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'ovirt-'}
    ]
  }
];

var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);

var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
  foreach var pkg ( constraint_array['pkgs'] ) {
    var reference = NULL;
    var _release = NULL;
    var sp = NULL;
    var _cpu = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var epoch = NULL;
    var allowmaj = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        _release &&
        rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
        (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
        rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
  else extra = rpm_report_get();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'rhev-hypervisor6 / rhev-hypervisor6-tools');
}

VendorProductVersionCPE
redhatenterprise_linuxrhev-hypervisor6p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6
redhatenterprise_linuxrhev-hypervisor6-toolsp-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6-tools

Vendor	Product	Version	CPE
redhat	enterprise_linux	rhev-hypervisor6	p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6
redhat	enterprise_linux	6	cpe:/o:redhat:enterprise_linux:6
redhat	enterprise_linux	rhev-hypervisor6-tools	p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6-tools