RHEL 5 : quagga (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory quagga. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(195599);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-1245",
    "CVE-2016-2342",
    "CVE-2016-4049",
    "CVE-2017-3224",
    "CVE-2017-5495",
    "CVE-2018-5379",
    "CVE-2018-5380",
    "CVE-2018-5381"
  );
  script_xref(name:"CEA-ID", value:"CEA-2019-0227");

  script_name(english:"RHEL 5 : quagga (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - quagga: VPNv4 NLRI parser memcpys to stack on unchecked length (CVE-2016-2342)

  - quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to
    crash or potentially execute arbitrary code (CVE-2018-5379)

  - It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer
    overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be
    compatible with a message size; however, BUFSIZ is system-dependent. (CVE-2016-1245)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not perform size checks when dumping
    data, which might allow remote attackers to cause a denial of service (assertion failure and daemon crash)
    via a large BGP packet. (CVE-2016-4049)

  - Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement
    (LSA) recency for LSAs with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of
    the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally
    MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered
    more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not
    explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-
    originating LSA with MaxSequenceNumber, it is possible in vulnerable OSPF implementations for an attacker
    to craft a LSA with MaxSequenceNumber and invalid links that will result in a larger checksum and thus a
    'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the
    erasure or alteration of the routing tables of routers within the routing domain, creating a denial of
    service condition or the re-routing of traffic on the network. CVE-2017-3224 has been reserved for Quagga
    and downstream implementations (SUSE, openSUSE, and Red Hat packages). (CVE-2017-3224)

  - All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet
    'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host. When Quagga daemons
    are configured with their telnet CLI enabled, anyone who can connect to the TCP ports can trigger this
    vulnerability, prior to authentication. Most distributions restrict the Quagga telnet interface to local
    access only by default. The Quagga telnet interface 'vty' input buffer grows automatically, without bound,
    so long as a newline is not entered. This allows an attacker to cause the Quagga daemon to allocate
    unbounded memory by sending very long strings without a newline. Eventually the daemon is terminated by
    the system, or the system itself runs out of memory. This is fixed in Quagga 1.1.1 and Free Range Routing
    (FRR) Protocol Suite 2017-01-10. (CVE-2017-5495)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion
    tables used for debug by 1 pointer value, based on input. (CVE-2018-5380)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of Capabilities in BGP OPEN
    messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on
    invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial
    of service. (CVE-2018-5381)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2342");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-5379");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:quagga");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'quagga', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'quagga'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'quagga');
}