Lucene search
This script is Copyright (C) 2017-2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2017-3277.NASLHistoryNov 30, 2017 - 12:00 a.m.
RHEL 7 : tcmu-runner (RHSA-2017:3277)
2017-11-3000:00:00
This script is Copyright (C) 2017-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
6.7
Confidence
High
EPSS
0.002
Percentile
55.1%
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:3277 advisory.
The tcmu-runner packages provide a service that handles the complexity of the LIO kernel target's userspace passthrough interface (TCMU). It presents a C plugin API for extension modules that handle SCSI requests in ways not possible or suitable to be handled by LIO's in-kernel backstores.
Security Fix(es):
* A flaw was found in the implementation of CheckConfig method in handler_glfs.so of the tcmu-runner daemon. A local, non-root user with access to the D-Bus system bus could send a specially crafted string to CheckConfig method resulting in various kinds of segmentation fault. (CVE-2017-1000198)
* A NULL pointer dereference flaw was found in the UnregisterHandler method implemented in the tcmu-runner daemon. A local, non-root user with access to the D-Bus system bus could call the UnregisterHandler method with the name of a handler loaded internally in tcmu-runner via dlopen() to trigger DoS.
(CVE-2017-1000200)
* A NULL pointer dereference flaw was found in the UnregisterHandler method implemented in the tcmu-runner daemon. A local, non-root user with access to the D-Bus system bus could call UnregisterHandler method with non-existing tcmu handler as paramater to trigger DoS. (CVE-2017-1000201)
* A file information leak flaw was found in implementation of the CheckConfig method in handler_qcow.so of the tcmu-runner daemon. A local, non-root user with access to the D-Bus system bus could use this flaw to leak arbitrary file names which might not be retrievable by non-root user. (CVE-2017-1000199)
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2017:3277. The text
# itself is copyright (C) Red Hat, Inc.
#
include('compat.inc');
if (description)
{
script_id(104865);
script_version("3.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");
script_cve_id(
"CVE-2017-1000198",
"CVE-2017-1000199",
"CVE-2017-1000200",
"CVE-2017-1000201"
);
script_xref(name:"RHSA", value:"2017:3277");
script_name(english:"RHEL 7 : tcmu-runner (RHSA-2017:3277)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for tcmu-runner.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2017:3277 advisory.
The tcmu-runner packages provide a service that handles the complexity of the LIO kernel target's
userspace passthrough interface (TCMU). It presents a C plugin API for extension modules that handle SCSI
requests in ways not possible or suitable to be handled by LIO's in-kernel backstores.
Security Fix(es):
* A flaw was found in the implementation of CheckConfig method in handler_glfs.so of the tcmu-runner
daemon. A local, non-root user with access to the D-Bus system bus could send a specially crafted string
to CheckConfig method resulting in various kinds of segmentation fault. (CVE-2017-1000198)
* A NULL pointer dereference flaw was found in the UnregisterHandler method implemented in the tcmu-runner
daemon. A local, non-root user with access to the D-Bus system bus could call the UnregisterHandler method
with the name of a handler loaded internally in tcmu-runner via dlopen() to trigger DoS.
(CVE-2017-1000200)
* A NULL pointer dereference flaw was found in the UnregisterHandler method implemented in the tcmu-runner
daemon. A local, non-root user with access to the D-Bus system bus could call UnregisterHandler method
with non-existing tcmu handler as paramater to trigger DoS. (CVE-2017-1000201)
* A file information leak flaw was found in implementation of the CheckConfig method in handler_qcow.so of
the tcmu-runner daemon. A local, non-root user with access to the D-Bus system bus could use this flaw to
leak arbitrary file names which might not be retrievable by non-root user. (CVE-2017-1000199)
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://access.redhat.com/security/data/csaf/v2/advisories/2017/rhsa-2017_3277.json
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e63267ce");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2017:3277");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#moderate");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1472332");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1487246");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1487247");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1487251");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1487252");
script_set_attribute(attribute:"solution", value:
"Update the RHEL tcmu-runner package based on the guidance in RHSA-2017:3277.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000199");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(200, 416, 476);
script_set_attribute(attribute:"vendor_severity", value:"Moderate");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/17");
script_set_attribute(attribute:"patch_publication_date", value:"2017/11/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/30");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtcmu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtcmu-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tcmu-runner");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2017-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("redhat_repos.nasl", "ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'repo_relative_urls': [
'content/dist/rhel/server/7/7Server/x86_64/rhgs-server/3.1/debug',
'content/dist/rhel/server/7/7Server/x86_64/rhgs-server/3.1/os',
'content/dist/rhel/server/7/7Server/x86_64/rhgs-server/3.1/source/SRPMS'
],
'pkgs': [
{'reference':'libtcmu-1.2.0-16.el7rhgs', 'cpu':'x86_64', 'release':'7', 'el_string':'el7rhgs', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'glusterfs'},
{'reference':'libtcmu-devel-1.2.0-16.el7rhgs', 'cpu':'x86_64', 'release':'7', 'el_string':'el7rhgs', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'glusterfs'},
{'reference':'tcmu-runner-1.2.0-16.el7rhgs', 'cpu':'x86_64', 'release':'7', 'el_string':'el7rhgs', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'glusterfs'}
]
}
];
var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
foreach var pkg ( constraint_array['pkgs'] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
_release &&
rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
(applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
else extra = rpm_report_get();
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libtcmu / libtcmu-devel / tcmu-runner');
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000198
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000199
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000200
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000201
www.nessus.org/u?e63267ce
access.redhat.com/errata/RHSA-2017:3277
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1472332
bugzilla.redhat.com/show_bug.cgi?id=1487246
bugzilla.redhat.com/show_bug.cgi?id=1487247
bugzilla.redhat.com/show_bug.cgi?id=1487251
bugzilla.redhat.com/show_bug.cgi?id=1487252
Related
redhat
redhat
(RHSA-2017:3277) Moderate: tcmu-runner security update
2017-11-29 03:21:45
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2017:2601-1)
2021-04-19 00:00:00
nessus
nessus
SUSE SLES12 Security Update : tcmu-runner (SUSE-SU-2017:2601-1)
2017-10-02 00:00:00
osv
osv
CVE-2017-1000198
2017-11-17 02:29:00
CVE-2017-1000201
2017-11-17 02:29:01
CVE-2017-1000200
2017-11-17 02:29:00
nvd
nvd
CVE-2017-1000201
2017-11-17 02:29:01
CVE-2017-1000198
2017-11-17 02:29:00
CVE-2017-1000200
2017-11-17 02:29:00
cvelist
cvelist
CVE-2017-1000198
2017-11-17 02:00:00
CVE-2017-1000201
2017-11-17 02:00:00
CVE-2017-1000200
2017-11-17 02:00:00
cve
cve
CVE-2017-1000198
2017-11-17 02:29:00
CVE-2017-1000200
2017-11-17 02:29:00
CVE-2017-1000201
2017-11-17 02:29:01
prion
prion
Design/Logic Flaw
2017-11-17 02:29:00
Design/Logic Flaw
2017-11-17 02:29:00
Null pointer dereference
2017-11-17 02:29:00
veracode
veracode
NULL Pointer Dereference
2019-05-02 06:37:57
Denial Of Service (DoS)
2019-01-15 09:19:59
Denial Of Service (DoS)
2019-05-02 06:37:57
redhatcve
redhatcve
CVE-2017-1000201
2017-08-31 13:49:13
CVE-2017-1000200
2017-08-31 13:49:27
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
6.7
Confidence
High
EPSS
0.002
Percentile
55.1%
Related for REDHAT-RHSA-2017-3277.NASL