RHEL 6 : CloudForms Commons 1.1 (RHSA-2012:1542)

2024-04-2700:00:00

www.tenable.com

rhel 6

cloudforms commons

multiple vulnerabilities

puppet

rubygem-mail

rubygem-actionpack

rubygem-activerecord

filebucket

directory traversal

arbitrary code execution

sql injection

denial of service

dos vulnerability

xss vulnerability

insufficient validation

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

9.1

Confidence

High

EPSS

0.06

Percentile

93.6%

JSON

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1542 advisory.

Red Hat CloudForms is an on-premise hybrid cloud     Infrastructure-as-a-Service (IaaS) product that lets you create and manage     private and public clouds.

Multiple input validation vulnerabilities were discovered in     rubygem-activerecored. A remote attacker could possibly use these flaws     to perform an SQL injection attack against an application using     rubygem-activerecord. (CVE-2012-2660, CVE-2012-2661, CVE-2012-2694,     CVE-2012-2695)

Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack.
A remote attacker could use these flaws to conduct XSS attacks against     users of an application using rubygem-actionpack. (CVE-2012-3463,     CVE-2012-3464, CVE-2012-3465)

A flaw was found in the HTTP digest authentication implementation in     rubygem-actionpack. A remote attacker could use this flaw to cause a     denial of service of an application using rubygem-actionpack and digest     authentication. (CVE-2012-3424)

An input validation flaw was found in rubygem-mail's Exim and Sendmail     delivery methods. A remote attacker could use this flaw to execute     arbitrary commands with the privileges of an application using     rubygem-mail. (CVE-2012-2140)

A directory traversal flaw was found in rubygem-mail's file delivery     method. A remote attacker could use this flaw to send a mail with a     specially crafted To: header and write to files with the privileges of     an application using rubygem-mail. (CVE-2012-2139)

Puppet was updated to version 2.6.17, which fixes multiple security     issues. These issues are not exposed by CloudForms. (CVE-2012-1986,     CVE-2012-1987, CVE-2012-1988, CVE-2012-3864, CVE-2012-3865, CVE-2012-3867)

Red Hat would like to thank Puppet Labs for reporting CVE-2012-1988,     CVE-2012-1986, CVE-2012-1987, CVE-2012-3864, CVE-2012-3865, and     CVE-2012-3867.

Users are advised to upgrade to these CloudForms Commons packages, which     resolve these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2012:1542. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(193969);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id(
    "CVE-2012-1986",
    "CVE-2012-1987",
    "CVE-2012-1988",
    "CVE-2012-2139",
    "CVE-2012-2140",
    "CVE-2012-2660",
    "CVE-2012-2661",
    "CVE-2012-2694",
    "CVE-2012-2695",
    "CVE-2012-3424",
    "CVE-2012-3463",
    "CVE-2012-3464",
    "CVE-2012-3465",
    "CVE-2012-3864",
    "CVE-2012-3865",
    "CVE-2012-3867"
  );
  script_xref(name:"RHSA", value:"2012:1542");

  script_name(english:"RHEL 6 : CloudForms Commons 1.1 (RHSA-2012:1542)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for CloudForms Commons 1.1.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2012:1542 advisory.

    Red Hat CloudForms is an on-premise hybrid cloud
    Infrastructure-as-a-Service (IaaS) product that lets you create and manage
    private and public clouds.

    Multiple input validation vulnerabilities were discovered in
    rubygem-activerecored. A remote attacker could possibly use these flaws
    to perform an SQL injection attack against an application using
    rubygem-activerecord. (CVE-2012-2660, CVE-2012-2661, CVE-2012-2694,
    CVE-2012-2695)

    Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack.
    A remote attacker could use these flaws to conduct XSS attacks against
    users of an application using rubygem-actionpack. (CVE-2012-3463,
    CVE-2012-3464, CVE-2012-3465)

    A flaw was found in the HTTP digest authentication implementation in
    rubygem-actionpack. A remote attacker could use this flaw to cause a
    denial of service of an application using rubygem-actionpack and digest
    authentication. (CVE-2012-3424)

    An input validation flaw was found in rubygem-mail's Exim and Sendmail
    delivery methods. A remote attacker could use this flaw to execute
    arbitrary commands with the privileges of an application using
    rubygem-mail. (CVE-2012-2140)

    A directory traversal flaw was found in rubygem-mail's file delivery
    method. A remote attacker could use this flaw to send a mail with a
    specially crafted To: header and write to files with the privileges of
    an application using rubygem-mail. (CVE-2012-2139)

    Puppet was updated to version 2.6.17, which fixes multiple security
    issues. These issues are not exposed by CloudForms. (CVE-2012-1986,
    CVE-2012-1987, CVE-2012-1988, CVE-2012-3864, CVE-2012-3865, CVE-2012-3867)

    Red Hat would like to thank Puppet Labs for reporting CVE-2012-1988,
    CVE-2012-1986, CVE-2012-1987, CVE-2012-3864, CVE-2012-3865, and
    CVE-2012-3867.

    Users are advised to upgrade to these CloudForms Commons packages, which
    resolve these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#moderate");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=810069");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=810070");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=810071");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=816352");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=827353");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=827363");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=831573");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=831581");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=839130");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=839131");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=839158");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=843711");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=847196");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=847199");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=847200");
  # https://access.redhat.com/security/data/csaf/v2/advisories/2012/rhsa-2012_1542.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a71de871");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2012:1542");
  script_set_attribute(attribute:"solution", value:
"Update the RHEL CloudForms Commons 1.1 package based on the guidance in RHSA-2012:1542.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2695");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(78, 79, 89, 305);
  script_set_attribute(attribute:"vendor_severity", value:"Moderate");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/12/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:converge-ui-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:puppet");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:puppet-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-activesupport");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-chunky_png");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-compass");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-compass-960-plugin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-compass-960-plugin-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-delayed_job");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-delayed_job-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-ldap_fluff");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-mail");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-mail-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-net-ldap");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'repo_relative_urls': [
      'content/dist/rhel/server/6/6Server/x86_64/cf-ce/1/debug',
      'content/dist/rhel/server/6/6Server/x86_64/cf-ce/1/os',
      'content/dist/rhel/server/6/6Server/x86_64/cf-ce/1/source/SRPMS',
      'content/dist/rhel/server/6/6Server/x86_64/cf-se/1/debug',
      'content/dist/rhel/server/6/6Server/x86_64/cf-se/1/os',
      'content/dist/rhel/server/6/6Server/x86_64/cf-se/1/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'converge-ui-devel-1.0.4-1.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'puppet-2.6.17-2.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'puppet-server-2.6.17-2.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-actionpack-3.0.10-10.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'cfme-'},
      {'reference':'rubygem-activerecord-3.0.10-6.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'cfme-'},
      {'reference':'rubygem-activesupport-3.0.10-4.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'cfme-'},
      {'reference':'rubygem-chunky_png-1.2.0-3.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-compass-0.11.5-2.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-compass-960-plugin-0.10.4-2.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-compass-960-plugin-doc-0.10.4-2.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-delayed_job-2.1.4-2.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-delayed_job-doc-2.1.4-2.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-ldap_fluff-0.1.3-1.el6_3', 'release':'6', 'el_string':'el6_3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-mail-2.3.0-3.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-mail-doc-2.3.0-3.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'},
      {'reference':'rubygem-net-ldap-0.1.1-3.el6cf', 'release':'6', 'el_string':'el6cf', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'cfme-'}
    ]
  }
];

var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);

var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
  foreach var pkg ( constraint_array['pkgs'] ) {
    var reference = NULL;
    var _release = NULL;
    var sp = NULL;
    var _cpu = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var epoch = NULL;
    var allowmaj = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        _release &&
        rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
        (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
        rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
  else extra = rpm_report_get();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'converge-ui-devel / puppet / puppet-server / rubygem-actionpack / etc');
}