Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-ELFUTILS-RHEL6.NASL
HistoryMay 11, 2024 - 12:00 a.m.

RHEL 6 : elfutils (Unpatched Vulnerability)

2024-05-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
4
rhel 6
elfutils
unpatched vulnerabilities
heap-based buffer over-read
denial of service
remote attackers
memory allocation failure
application crash
zlib compression factor
memory consumption
divide-by-zero vulnerabilities

8.3 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.7%

JSON

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • elfutils: eu-size cannot handle recursive ar files (CVE-2018-18520)

  • elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c (CVE-2019-7665)

  • The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure. (CVE-2016-10254)

  • The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure. (CVE-2016-10255)

  • The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7607)

  • The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
    (CVE-2017-7608)

  • elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file. (CVE-2017-7609)

  • The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7610)

  • The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7611)

  • The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7612)

  • elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
    (CVE-2017-7613)

  • dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. (CVE-2018-16062)

  • libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. (CVE-2018-16403)

  • An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. (CVE-2018-18310)

  • Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. (CVE-2018-18521)

  • An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. (CVE-2019-7150)

  • In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). (CVE-2019-7664)

  • In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file. (CVE-2021-33294)

  • elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c. (CVE-2024-25260)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory elfutils. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(195525);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-10254",
    "CVE-2016-10255",
    "CVE-2017-7607",
    "CVE-2017-7608",
    "CVE-2017-7609",
    "CVE-2017-7610",
    "CVE-2017-7611",
    "CVE-2017-7612",
    "CVE-2017-7613",
    "CVE-2018-16062",
    "CVE-2018-16403",
    "CVE-2018-18310",
    "CVE-2018-18520",
    "CVE-2018-18521",
    "CVE-2019-7150",
    "CVE-2019-7664",
    "CVE-2019-7665",
    "CVE-2021-33294",
    "CVE-2024-25260"
  );

  script_name(english:"RHEL 6 : elfutils (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - elfutils: eu-size cannot handle recursive ar files (CVE-2018-18520)

  - elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c (CVE-2019-7665)

  - The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial
    of service (crash) via a crafted ELF file, which triggers a memory allocation failure. (CVE-2016-10254)

  - The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers
    to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which
    triggers a memory allocation failure. (CVE-2016-10255)

  - The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of
    service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7607)

  - The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers
    to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
    (CVE-2017-7608)

  - elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote
    attackers to cause a denial of service (memory consumption) via a crafted ELF file. (CVE-2017-7609)

  - The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of
    service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7610)

  - The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial
    of service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7611)

  - The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of
    service (heap-based buffer over-read and application crash) via a crafted ELF file. (CVE-2017-7612)

  - elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which
    allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
    (CVE-2017-7613)

  - dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to
    cause a denial of service (heap-based buffer over-read) via a crafted file. (CVE-2018-16062)

  - libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in
    dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an
    application crash. (CVE-2018-16403)

  - An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in
    elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application
    crash) with a crafted ELF file, as demonstrated by consider_notes. (CVE-2018-18310)

  - Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow
    remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated
    by eu-ranlib, because a zero sh_entsize is mishandled. (CVE-2018-18521)

  - An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom
    in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from
    a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as
    demonstrated by eu-stack. (CVE-2019-7150)

  - In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of
    an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service
    (program crash). (CVE-2019-7664)

  - In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows
    attackers to cause a denial of service (infinite loop) via crafted file. (CVE-2021-33294)

  - elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at
    readelf.c. (CVE-2024-25260)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-7665");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-18520");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:elfutils");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'elfutils', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'elfutils'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'elfutils');
}
VendorProductVersionCPE
redhatenterprise_linux5cpe:/o:redhat:enterprise_linux:5
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linux8cpe:/o:redhat:enterprise_linux:8
redhatenterprise_linuxelfutilsp-cpe:/a:redhat:enterprise_linux:elfutils

References

Related

nessus 56
openvas 33
suse 3
mageia 2
ubuntu 3
osv 11
debian 2
fedora 7
gentoo 1
redhat 2
cloudfoundry 1
f5 1
amazon 1
centos 1
oraclelinux 2
archlinux 2
photon 2
redhatcve 10
prion 8
cvelist 6
nvd 10
debiancve 8
cve 7
veracode 8
ubuntucve 8
alpinelinux 4
nessus
nessus
RHEL 6 : elfutils (Unpatched Vulnerability)
2024-06-03 00:00:00
SUSE SLED12 / SLES12 Security Update : elfutils (SUSE-SU-2019:1733-1)
2019-07-05 00:00:00
RHEL 5 : elfutils (Unpatched Vulnerability)
2024-05-11 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2019:1733-1)
2021-04-19 00:00:00
openSUSE: Security Advisory for elfutils (openSUSE-SU-2019:1590-1)
2019-06-20 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:1486-1)
2021-06-09 00:00:00
suse
suse
Security update for elfutils (moderate)
2019-06-20 00:00:00
Security update for dwarves and elfutils (moderate)
2022-09-01 00:00:00
Security update for dwarves and elfutils (moderate)
2022-08-01 00:00:00
mageia
mageia
Updated elfutils packages fix security vulnerabilities
2019-08-18 15:39:41
Updated elfutils packages fix security vulnerabilities
2018-01-03 13:32:10
ubuntu
ubuntu
elfutils vulnerabilities
2018-06-05 00:00:00
elfutils vulnerabilities
2023-08-30 00:00:00
elfutils vulnerabilities
2019-06-10 00:00:00
osv
osv
elfutils - security update
2019-02-25 00:00:00
elfutils vulnerabilities
2023-08-30 16:29:23
elfutils - security update
2021-10-30 00:00:00
debian
debian
[SECURITY] [DLA 1689-1] elfutils security update
2019-02-25 21:35:38
[SECURITY] [DLA 2802-1] elfutils security update
2021-10-30 21:53:24
fedora
fedora
[SECURITY] Fedora 26 Update: elfutils-0.169-1.fc26
2017-05-08 14:27:00
[SECURITY] Fedora 25 Update: elfutils-0.169-1.fc25
2017-05-12 12:06:55
[SECURITY] Fedora 28 Update: elfutils-0.174-5.fc28
2018-11-21 03:14:18
gentoo
gentoo
elfutils: Multiple vulnerabilities
2017-10-13 00:00:00
redhat
redhat
(RHSA-2019:2197) Low: elfutils security, bug fix, and enhancement update
2019-08-06 08:12:18
(RHSA-2019:3575) Low: elfutils security, bug fix, and enhancement update
2019-11-05 18:02:56
cloudfoundry
cloudfoundry
USN-4012-1: elfutils vulnerabilities | Cloud Foundry
2019-06-18 00:00:00
f5
f5
K21426934 : Multiple elfutils vulnerabilities
2022-04-25 00:00:00
amazon
amazon
Low: elfutils
2019-10-21 18:01:00
centos
centos
elfutils security update
2019-08-30 02:43:56
oraclelinux
oraclelinux
elfutils security, bug fix, and enhancement update
2019-08-13 00:00:00
elfutils security, bug fix, and enhancement update
2019-11-14 00:00:00
archlinux
archlinux
[ASA-201901-3] elfutils: denial of service
2019-01-08 00:00:00
[ASA-201903-9] libelf: denial of service
2019-03-18 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-1.0-0226
2019-04-22 00:00:00
Important Photon OS Security Update - PHSA-2019-0226
2019-04-22 00:00:00
redhatcve
redhatcve
CVE-2024-25260
2024-02-20 21:38:15
CVE-2017-7607
2017-04-12 11:18:10
CVE-2019-7664
2019-10-12 02:22:30
prion
prion
Null pointer dereference
2024-02-20 18:15:00
Design/Logic Flaw
2017-03-23 16:59:00
Design/Logic Flaw
2017-03-23 16:59:00
cvelist
cvelist
CVE-2024-25260
2024-02-20 00:00:00
CVE-2016-10254
2017-03-23 16:00:00
CVE-2019-7664
2019-02-09 16:00:00
nvd
nvd
CVE-2024-25260
2024-02-20 18:15:52
CVE-2016-10254
2017-03-23 16:59:00
CVE-2017-7612
2017-04-09 14:59:00
debiancve
debiancve
CVE-2021-33294
2023-07-18 14:15:11
CVE-2016-10254
2017-03-23 16:59:00
CVE-2024-25260
2024-02-20 18:15:52
cve
cve
CVE-2016-10254
2017-03-23 16:59:00
CVE-2017-7607
2017-04-09 14:59:00
CVE-2016-10255
2017-03-23 16:59:00
veracode
veracode
Denial Of Service (DoS)
2020-09-21 06:39:53
Denial Of Service (DoS)
2019-08-08 00:07:56
Denial Of Service (DoS)
2019-08-08 00:07:56
ubuntucve
ubuntucve
CVE-2024-25260
2024-02-20 00:00:00
CVE-2016-10254
2017-03-23 00:00:00
CVE-2017-7607
2017-04-09 00:00:00
alpinelinux
alpinelinux
CVE-2017-7607
2017-04-09 14:59:00
CVE-2019-7664
2019-02-09 16:29:00
CVE-2018-16062
2018-08-29 03:29:00

8.3 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.7%

JSON
Related for REDHAT_UNPATCHED-ELFUTILS-RHEL6.NASL
nessus56openvas33suse3mageia2ubuntu3osv11debian2fedora7gentoo1redhat2cloudfoundry1f51amazon1centos1oraclelinux2archlinux2photon2redhatcve10prion8cvelist6nvd10debiancve8cve7veracode8ubuntucve8alpinelinux4