RHEL 5 : samba (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory samba. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196650);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/13");

  script_cve_id(
    "CVE-2016-2125",
    "CVE-2016-2126",
    "CVE-2017-2619",
    "CVE-2017-12150",
    "CVE-2017-12163",
    "CVE-2017-15275",
    "CVE-2019-3880",
    "CVE-2019-10218",
    "CVE-2020-1472",
    "CVE-2020-10730"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2020/09/21");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");
  script_xref(name:"CEA-ID", value:"CEA-2021-0008");
  script_xref(name:"CEA-ID", value:"CEA-2020-0129");
  script_xref(name:"CEA-ID", value:"CEA-2023-0016");
  script_xref(name:"CEA-ID", value:"CEA-2020-0121");
  script_xref(name:"CEA-ID", value:"CEA-2020-0101");

  script_name(english:"RHEL 5 : samba (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - samba: symlink race permits opening files outside share directory (CVE-2017-2619)

  - samba: Netlogon elevation of privilege vulnerability (Zerologon) (CVE-2020-1472)

  - It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when
    using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently
    use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)

  - Samba version 4.0.0 up to 4.5.2 is vulnerable to privilege elevation due to incorrect handling of the PAC
    (Privilege Attribute Certificate) checksum. A remote, authenticated, attacker can cause the winbindd
    process to crash using a legitimate Kerberos ticket. A local service with access to the winbindd
    privileged pipe can cause winbindd to cache elevated access permissions. (CVE-2016-2126)

  - It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce SMB
    signing when certain configuration options were enabled. A remote attacker could launch a man-in-the-
    middle attack and retrieve information in plain-text. (CVE-2017-12150)

  - An information leak flaw was found in the way SMB1 protocol was implemented by Samba before 4.4.16, 4.5.x
    before 4.5.14, and 4.6.x before 4.6.8. A malicious client could use this flaw to dump server memory
    contents to a file on the samba share or to a shared printer, though the exact area of server memory
    cannot be controlled by the attacker. (CVE-2017-12163)

  - Samba before 4.7.3 might allow remote attackers to obtain sensitive information by leveraging failure of
    the server to clear allocated heap memory. (CVE-2017-15275)

  - A flaw was found in the samba client, all samba versions before samba 4.11.2, 4.10.10 and 4.9.15, where a
    malicious server can supply a pathname to the client with separators. This could allow the client to
    access files and folders outside of the SMB network pathnames. An attacker could use this vulnerability to
    create files outside of the current working directory using the privileges of the client user.
    (CVE-2019-10218)

  - A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API.
    An unprivileged attacker could use this flaw to create a new registry hive file anywhere they have unix
    permissions which could lead to creation of a new file in the Samba share. Versions before 4.8.11, 4.9.6
    and 4.10.2 are vulnerable. (CVE-2019-3880)

  - A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions
    before 4.10.17, before 4.11.11 and before 4.12.4. Although some versions of Samba shipped with Red Hat
    Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package.
    This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference.
    The highest threat from this vulnerability is to system availability. (CVE-2020-10730)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1472");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-2619");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libldb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'libldb', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'libldb', 'cves':['CVE-2020-10730']},
      {'reference':'samba', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'samba', 'cves':['CVE-2016-2125', 'CVE-2016-2126', 'CVE-2017-2619', 'CVE-2017-12150', 'CVE-2017-12163', 'CVE-2017-15275', 'CVE-2019-3880', 'CVE-2019-10218', 'CVE-2020-1472']},
      {'reference':'samba3x', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'samba3x', 'cves':['CVE-2016-2125', 'CVE-2016-2126', 'CVE-2017-2619', 'CVE-2017-12150', 'CVE-2019-10218']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libldb / samba / samba3x');
}