Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-LIBX11-RHEL6.NASL
HistoryMay 11, 2024 - 12:00 a.m.

RHEL 6 : libx11 (Unpatched Vulnerability)

2024-05-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1
rhel 6
libx11
unpatched vulnerabilities
remote x servers
out-of-bounds
denial of service
integer overflow
elevated privileges

10 High

AI Score

Confidence

High

JSON

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • libX11: missing request length checks (CVE-2021-31535)

  • The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations. (CVE-2016-7942)

  • The XListFonts function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving length fields, which trigger out-of-bounds write operations. (CVE-2016-7943)

  • An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). (CVE-2018-14598)

  • An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. (CVE-2018-14599)

  • An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. (CVE-2018-14600)

  • An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux. (CVE-2020-14344)

  • Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. (CVE-2022-3554, CVE-2022-3555)

  • A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of- bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption. (CVE-2023-3138)

  • A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function.
    This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system. (CVE-2023-43785)

  • A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.
    (CVE-2023-43786)

  • A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges. (CVE-2023-43787)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory libx11. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196634);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-7942",
    "CVE-2016-7943",
    "CVE-2018-14598",
    "CVE-2018-14599",
    "CVE-2018-14600",
    "CVE-2020-14344",
    "CVE-2021-31535",
    "CVE-2022-3554",
    "CVE-2022-3555",
    "CVE-2023-3138",
    "CVE-2023-43785",
    "CVE-2023-43786",
    "CVE-2023-43787"
  );

  script_name(english:"RHEL 6 : libx11 (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libX11: missing request length checks (CVE-2021-31535)

  - The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via
    vectors involving image type and geometry, which triggers out-of-bounds read operations. (CVE-2016-7942)

  - The XListFonts function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via
    vectors involving length fields, which trigger out-of-bounds write operations. (CVE-2016-7943)

  - An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can
    send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed
    later on, leading to DoS (segmentation fault). (CVE-2018-14598)

  - An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable
    to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other
    impact. (CVE-2018-14599)

  - An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a
    variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading
    to DoS or remote code execution. (CVE-2018-14600)

  - An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was
    implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid
    programs call XIM client functions while running with elevated privileges. No such programs are shipped
    with Red Hat Enterprise Linux. (CVE-2020-14344)

  - Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn
    by its CNA. Further investigation showed that it was not a security issue. Notes: none. (CVE-2022-3554,
    CVE-2022-3555)

  - A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in
    libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of
    the arrays that those functions write to, using those IDs as array indexes. They trust that they were
    called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X
    servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-
    bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other
    portions of the Display structure and not write outside the bounds of the Display structure itself,
    possibly causing the client to crash with this memory corruption. (CVE-2023-3138)

  - A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function.
    This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on
    the system. (CVE-2023-43785)

  - A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw
    allows a local user to consume all available system resources and cause a denial of service condition.
    (CVE-2023-43786)

  - A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This
    flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated
    privileges. (CVE-2023-43787)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-31535");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libX11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'libX11', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'libX11'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libX11');
}
VendorProductVersionCPE
redhatenterprise_linux5cpe:/o:redhat:enterprise_linux:5
redhatenterprise_linuxlibx11p-cpe:/a:redhat:enterprise_linux:libx11
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6

Related

cloudfoundry 4
nessus 82
openvas 69
ubuntu 5
mageia 3
suse 2
debian 4
osv 7
freebsd 2
gentoo 1
slackware 2
ibm 3
redos 1
almalinux 1
redhat 2
oraclelinux 1
photon 3
amazon 4
fedora 3
cloudfoundry
cloudfoundry
USN-3758-1: libx11 vulnerabilities | Cloud Foundry
2018-09-27 00:00:00
USN-6407-1: libx11 vulnerabilities | Cloud Foundry
2023-10-05 00:00:00
USN-6407-2: libx11 vulnerabilities | Cloud Foundry
2023-11-09 00:00:00
nessus
nessus
EulerOS 2.0 SP2 : libX11 (EulerOS-SA-2019-2480)
2019-12-04 00:00:00
RHEL 7 : libx11 (Unpatched Vulnerability)
2024-05-11 00:00:00
Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : libx11 vulnerabilities (USN-3758-1)
2018-08-31 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3758-2)
2022-08-26 00:00:00
Huawei EulerOS: Security Advisory for libX11 (EulerOS-SA-2019-2480)
2020-01-23 00:00:00
Ubuntu: Security Advisory (USN-3758-1)
2018-10-26 00:00:00
ubuntu
ubuntu
libx11 vulnerabilities
2018-08-30 00:00:00
libx11 vulnerabilities
2018-08-30 00:00:00
libx11 vulnerabilities
2023-10-10 00:00:00
mageia
mageia
Updated libx11 packages fix security vulnerabilities
2018-09-21 02:17:55
Updated libX11 packages fix security vulnerabilities
2023-10-14 01:56:51
Updated libx11 packages fix security vulnerability
2022-11-25 01:21:24
suse
suse
Security update for libX11 (moderate)
2018-10-05 12:07:58
Security update for libX11 (important)
2018-08-31 12:07:54
debian
debian
[SECURITY] [DLA 1482-1] libx11 security update
2018-08-29 22:18:10
[SECURITY] [DSA 5517-1] libx11 security update
2023-10-05 18:18:00
[SECURITY] [DLA 3602-1] libx11 security update
2023-10-05 10:39:39
osv
osv
libx11 - security update
2018-08-29 00:00:00
libx11 - security update
2023-10-05 00:00:00
Moderate: libX11 security update
2024-04-30 00:00:00
freebsd
freebsd
libX11 -- Multiple vulnerabilities
2018-08-21 00:00:00
11/libX11 multiple vulnerabilities
2023-09-22 00:00:00
gentoo
gentoo
X.Org X11 library: Multiple vulnerabilities
2018-11-09 00:00:00
slackware
slackware
[slackware-security] libX11
2018-08-21 20:09:53
[slackware-security] libX11
2023-10-03 22:25:17
ibm
ibm
Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in xorg-x11-libX11 (CVE-2018-14598 CVE-2018-14599 CVE-2018-14600)
2023-12-07 22:45:02
Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in X.Org libx11 (CVE-2018-14599 CVE-2018-14598)
2019-04-11 21:00:01
Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in xorg-x11
2023-12-07 22:45:03
redos
redos
ROS-20231018-04
2023-10-18 00:00:00
almalinux
almalinux
Moderate: libX11 security update
2024-04-30 00:00:00
redhat
redhat
(RHSA-2024:2145) Moderate: libX11 security update
2024-04-30 06:14:52
(RHSA-2024:2973) Moderate: libX11 security update
2024-05-22 06:35:14
oraclelinux
oraclelinux
libX11 security update
2024-05-02 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2023-5.0-0112
2023-10-11 00:00:00
Important Photon OS Security Update - PHSA-2023-4.0-0486
2023-10-11 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0668
2023-10-12 00:00:00
amazon
amazon
Medium: libX11
2019-06-11 23:17:00
Medium: libX11
2023-10-12 15:48:00
Medium: libX11
2023-10-12 15:09:00
fedora
fedora
[SECURITY] Fedora 28 Update: libX11-1.6.7-1.fc28
2019-04-30 01:41:08
[SECURITY] Fedora 25 Update: libX11-1.6.4-1.fc25
2016-10-09 03:00:23
[SECURITY] Fedora 39 Update: libX11-1.8.7-1.fc39
2023-10-07 03:24:34

10 High

AI Score

Confidence

High

JSON
Related for REDHAT_UNPATCHED-LIBX11-RHEL6.NASL
cloudfoundry4nessus82openvas69ubuntu5mageia3suse2debian4osv7freebsd2gentoo1slackware2ibm3redos1almalinux1redhat2oraclelinux1photon3amazon4fedora3