RHEL 8 : binutils (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory binutils. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(195444);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2018-6872",
    "CVE-2018-10534",
    "CVE-2018-10535",
    "CVE-2018-12641",
    "CVE-2018-12697",
    "CVE-2018-12698",
    "CVE-2018-12699",
    "CVE-2018-12700",
    "CVE-2018-12934",
    "CVE-2018-13033",
    "CVE-2018-17794",
    "CVE-2018-17985",
    "CVE-2018-18309",
    "CVE-2018-18483",
    "CVE-2018-18484",
    "CVE-2018-18605",
    "CVE-2018-18606",
    "CVE-2018-18607",
    "CVE-2018-18700",
    "CVE-2018-18701",
    "CVE-2018-19932",
    "CVE-2018-20002",
    "CVE-2018-20623",
    "CVE-2018-20651",
    "CVE-2018-20671",
    "CVE-2018-1000876",
    "CVE-2019-9071",
    "CVE-2019-9075",
    "CVE-2019-9077",
    "CVE-2021-20284",
    "CVE-2023-25584",
    "CVE-2023-25585",
    "CVE-2023-25588"
  );

  script_name(english:"RHEL 8 : binutils (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 8 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - binutils: heap-based buffer overflow in finish_stab in stabs.c (CVE-2018-12699)

  - binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump,
    bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow
    trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to
    be exploitable via Local. This vulnerability appears to have been fixed in after commit
    3a551c7a1b80fca579461774860574eabfd7f18f. (CVE-2018-1000876)

  - The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD)
    library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with
    an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address
    exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy
    copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c. (CVE-2018-10534)

  - The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as
    distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab
    entry with a SECTION type that has a 0 value, which allows remote attackers to cause a denial of
    service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.
    (CVE-2018-10535)

  - An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30.
    Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive
    stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg,
    demangle_args, and demangle_nested_args. This can occur during execution of nm-new. (CVE-2018-12641)

  - A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in
    work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can
    occur during execution of objdump. (CVE-2018-12697)

  - demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers
    to trigger excessive memory consumption (aka OOM) during the Create an array for saving the template
    argument values XNEWVEC call. This can occur during execution of objdump. (CVE-2018-12698)

  - Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn
    by its CNA. Further investigation showed that it was not a security issue. Notes: none (CVE-2018-12700)

  - remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to
    trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.
    (CVE-2018-12934)

  - The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote
    attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted
    ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can
    occur during execution of nm. (CVE-2018-13033)

  - An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a
    NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.
    (CVE-2018-17794)

  - An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a
    stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in
    certain scenarios involving many 'P' characters. (CVE-2018-17985)

  - An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
    Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The
    vulnerability causes a segmentation fault and application crash, which leads to denial of service, as
    demonstrated by objdump, because of missing _bfd_clear_contents bounds checking. (CVE-2018-18309)

  - The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote
    attackers to cause a denial of service (malloc called with the result of an integer-overflowing
    calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.
    (CVE-2018-18483)

  - An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack
    Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption
    problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.
    (CVE-2018-18484)

  - A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the
    Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because
    _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially
    crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld. (CVE-2018-18605)

  - An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD)
    library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in
    _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF
    allows remote attackers to cause a denial of service, as demonstrated by ld. (CVE-2018-18606)

  - An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library
    (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in
    elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF
    allows remote attackers to cause a denial of service, as demonstrated by ld. (CVE-2018-18607)

  - An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a
    stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(),
    and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-
    of-service via an ELF file, as demonstrated by nm. (CVE-2018-18700)

  - An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a
    stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and
    cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a
    denial-of-service via an ELF file, as demonstrated by nm. (CVE-2018-18701)

  - An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
    Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA
    macro in elf.c. (CVE-2018-19932)

  - The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka
    libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a
    denial of service (memory consumption), as demonstrated by nm. (CVE-2018-20002)

  - In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the
    process_archive function in readelf.c via a crafted ELF file. (CVE-2018-20623)

  - A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File
    Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted
    ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of
    service, as demonstrated by ld. (CVE-2018-20651)

  - load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow
    vulnerability that can trigger a heap-based buffer overflow via a crafted section size. (CVE-2018-20671)

  - The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as
    distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read
    and segmentation violation) via a note with a large alignment. (CVE-2018-6872)

  - An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption
    issue in d_count_templates_scopes in cp-demangle.c after many recursive calls. (CVE-2019-9071)

  - An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
    Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.
    (CVE-2019-9075)

  - An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific
    in readelf.c via a malformed MIPS option section. (CVE-2019-9077)

  - A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in
    _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The
    highest threat from this vulnerability is to system availability. (CVE-2021-20284)

  - An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.
    (CVE-2023-25584)

  - A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to
    application crash and local denial of service. (CVE-2023-25585)

  - A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the
    `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of
    service. (CVE-2023-25588)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12699");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:binutils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:binutils220");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-toolset-10-binutils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-toolset-11-binutils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-toolset-12-binutils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mingw-binutils");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'binutils', 'cves':['CVE-2018-6872', 'CVE-2018-12641', 'CVE-2018-12697', 'CVE-2018-12698', 'CVE-2018-12699', 'CVE-2018-12700', 'CVE-2018-12934', 'CVE-2018-17794', 'CVE-2018-17985', 'CVE-2018-18309', 'CVE-2018-18483', 'CVE-2018-18484', 'CVE-2018-18605', 'CVE-2018-18606', 'CVE-2018-18607', 'CVE-2018-18700', 'CVE-2018-18701', 'CVE-2018-19932', 'CVE-2018-20002', 'CVE-2018-20623', 'CVE-2018-20651', 'CVE-2018-20671', 'CVE-2018-1000876', 'CVE-2019-9071', 'CVE-2019-9075', 'CVE-2019-9077', 'CVE-2023-25584', 'CVE-2023-25585', 'CVE-2023-25588']},
      {'reference':'gcc-toolset-10-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-toolset-10-binutils', 'cves':['CVE-2021-20284']},
      {'reference':'gcc-toolset-11-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-toolset-11-binutils', 'cves':['CVE-2023-25584', 'CVE-2023-25585', 'CVE-2023-25588']},
      {'reference':'gcc-toolset-12-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-toolset-12-binutils', 'cves':['CVE-2023-25584', 'CVE-2023-25585', 'CVE-2023-25588']},
      {'reference':'mingw-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'mingw-binutils', 'cves':['CVE-2018-10534', 'CVE-2018-10535', 'CVE-2018-12641', 'CVE-2018-12697', 'CVE-2018-12698', 'CVE-2018-12699', 'CVE-2018-12700', 'CVE-2018-12934', 'CVE-2018-13033', 'CVE-2018-17794', 'CVE-2018-17985', 'CVE-2018-18309', 'CVE-2018-18483', 'CVE-2018-18484', 'CVE-2018-18605', 'CVE-2018-18606', 'CVE-2018-18607', 'CVE-2018-18700', 'CVE-2018-18701', 'CVE-2018-19932', 'CVE-2018-20002', 'CVE-2018-20623', 'CVE-2018-20651', 'CVE-2018-1000876']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'binutils / gcc-toolset-10-binutils / gcc-toolset-11-binutils / etc');
}