RHEL 6 : bluez (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory bluez. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196471);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-7837",
    "CVE-2016-9797",
    "CVE-2016-9798",
    "CVE-2016-9800",
    "CVE-2016-9801",
    "CVE-2016-9803",
    "CVE-2016-9804",
    "CVE-2019-8921",
    "CVE-2019-8922",
    "CVE-2020-27153",
    "CVE-2021-3588",
    "CVE-2021-3658",
    "CVE-2021-41229",
    "CVE-2022-3563",
    "CVE-2022-3637",
    "CVE-2022-39176",
    "CVE-2022-39177",
    "CVE-2023-27349",
    "CVE-2023-45866"
  );

  script_name(english:"RHEL 6 : bluez (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or
    RCE (CVE-2020-27153)

  - bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and
    invalid capabilities can be processed in profiles/audio/avdtp.c (CVE-2022-39177)

  - Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line
    function used in some userland utilities. (CVE-2016-7837)

  - In BlueZ 5.42, a buffer over-read was observed in l2cap_dump function in tools/parser/l2cap.c source
    file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9797)

  - In BlueZ 5.42, a use-after-free was identified in conf_opt function in tools/parser/l2cap.c source
    file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9798)

  - In BlueZ 5.42, a buffer overflow was observed in pin_code_reply_dump function in tools/parser/hci.c
    source file. The issue exists because pin array is overflowed by supplied parameter due to lack of
    boundary checks on size of the buffer from frame pin_code_reply_cp *cp parameter. (CVE-2016-9800)

  - In BlueZ 5.42, a buffer overflow was observed in set_ext_ctrl function in tools/parser/l2cap.c source
    file when processing corrupted dump file. (CVE-2016-9801)

  - In BlueZ 5.42, an out-of-bounds read was observed in le_meta_ev_dump function in tools/parser/hci.c
    source file. This issue exists because 'subevent' (which is used to read correct element from
    'ev_le_meta_str' array) is overflowed. (CVE-2016-9803)

  - In BlueZ 5.42, a buffer overflow was observed in commands_dump function in tools/parser/csr.c source
    file. The issue exists because commands array is overflowed by supplied parameter due to lack of
    boundary checks on size of the buffer from frame frm->ptr parameter. This issue can be triggered by
    processing a corrupted dump file and will result in hcidump crash. (CVE-2016-9804)

  - An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a
    SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server
    into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The
    root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check
    whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the
    same. (CVE-2019-8921)

  - A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on
    whether there is enough space in the destination buffer. The function simply appends all data passed to
    it. The values of all attributes that are requested are appended to the output buffer. There are no size
    checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is
    large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by
    process_request (in sdpd-request.c), which also allocates the response buffer. (CVE-2019-8922)

  - The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset'
    variable before using it as an index into an array for reading. (CVE-2021-3588)

  - bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and
    restores it when powered up. If a device is powered down while discoverable, it will be discoverable when
    powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby
    attackers. (CVE-2021-3658)

  - BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in
    sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates
    and will not be freed. This will cause a memory leak over time. The data can be a very large object, which
    can be caused by an attacker continuously sending sdp packets and this may cause the service of the target
    device to crash. (CVE-2021-41229)

  - A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function
    read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation
    of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this
    issue. VDB-211086 is the identifier assigned to this vulnerability. (CVE-2022-3563)

  - A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects
    the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to
    denial of service. It is recommended to apply a patch to fix this issue. The identifier of this
    vulnerability is VDB-211936. (CVE-2022-3637)

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because
    profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This
    vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected
    installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must
    connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The
    issue results from the lack of proper validation of user-supplied data, which can result in a write past
    the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context
    of root. Was ZDI-CAN-19908. (CVE-2023-27349)

  - Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and
    establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of
    HID messages when no user interaction has occurred in the Central role to authorize such access. An
    example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556
    mitigation would have already addressed this Bluetooth HID Hosts issue. (CVE-2023-45866)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27153");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-39177");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-hcidump");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-utils");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'bluez', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'bluez'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bluez');
}