The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
libexif: out of bounds write due to an integer overflow in exif-entry.c (CVE-2020-0452)
A vulnerability was found in libexif. An integer overflow when parsing the MNOTE entry data of the input file. This can cause Denial-of-Service (DoS) and Information Disclosure (disclosing some critical heap chunk metadata, even other applications’ private data). (CVE-2016-6328)
libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c caused by improper length computation of the allocated data of an ExifMnote entry which can cause denial-of-service or possibly information disclosure. (CVE-2017-7544)
An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources. (CVE-2018-20030)
In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774 (CVE-2019-9278)
In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-148705132 (CVE-2020-0093)
In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076 (CVE-2020-0181)
In exif_entry_get_value of exif-entry.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID:
A-147140917 (CVE-2020-0182)
In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow.
This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941 (CVE-2020-0198)
exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error. (CVE-2020-12767)
An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093. (CVE-2020-13112)
An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions. (CVE-2020-13113)
An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data. (CVE-2020-13114)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory libexif. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195514);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2016-6328",
"CVE-2017-7544",
"CVE-2018-20030",
"CVE-2019-9278",
"CVE-2020-0093",
"CVE-2020-0181",
"CVE-2020-0182",
"CVE-2020-0198",
"CVE-2020-0452",
"CVE-2020-12767",
"CVE-2020-13112",
"CVE-2020-13113",
"CVE-2020-13114"
);
script_name(english:"RHEL 5 : libexif (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- libexif: out of bounds write due to an integer overflow in exif-entry.c (CVE-2020-0452)
- A vulnerability was found in libexif. An integer overflow when parsing the MNOTE entry data of the input
file. This can cause Denial-of-Service (DoS) and Information Disclosure (disclosing some critical heap
chunk metadata, even other applications' private data). (CVE-2016-6328)
- libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulnerability in exif_data_save_data_entry
function in libexif/exif-data.c caused by improper length computation of the allocated data of an
ExifMnote entry which can cause denial-of-service or possibly information disclosure. (CVE-2017-7544)
- An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version
0.6.21 can be exploited to exhaust available CPU resources. (CVE-2018-20030)
- In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote
escalation of privilege in the media content provider with no additional execution privileges needed. User
interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774
(CVE-2019-9278)
- In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing
bounds check. This could lead to local information disclosure with no additional execution privileges
needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1
Android-9 Android-10Android ID: A-148705132 (CVE-2020-0093)
- In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer
overflow. This could lead to remote denial of service with no additional execution privileges needed. User
interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076
(CVE-2020-0181)
- In exif_entry_get_value of exif-entry.c, there is a possible out of bounds read due to a missing bounds
check. This could lead to local information disclosure with no additional execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID:
A-147140917 (CVE-2020-0182)
- In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow.
This could lead to remote denial of service with no additional execution privileges needed. User
interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941
(CVE-2020-0198)
- exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error. (CVE-2020-12767)
- An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling
could lead to information disclosure and crashes. This is different from CVE-2020-0093. (CVE-2020-13112)
- An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling
could lead to crashes and potential use-after-free conditions. (CVE-2020-13113)
- An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote
data could lead to consumption of large amounts of compute time for decoding EXIF data. (CVE-2020-13114)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0452");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libexif");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'libexif', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'libexif'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libexif');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
redhat | enterprise_linux | libexif | p-cpe:/a:redhat:enterprise_linux:libexif |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0181
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0182
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0198
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0452
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114