7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8 High
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.3%
The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
binutils: heap-based buffer overflow in finish_stab in stabs.c (CVE-2018-12699)
binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code… This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f. (CVE-2018-1000876)
The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a SECTION type that has a 0 value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.
(CVE-2018-10535)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory binutils. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(200030);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");
script_cve_id(
"CVE-2018-6872",
"CVE-2018-10535",
"CVE-2018-12641",
"CVE-2018-12697",
"CVE-2018-12698",
"CVE-2018-12699",
"CVE-2018-12700",
"CVE-2018-12934",
"CVE-2018-13033",
"CVE-2018-17358",
"CVE-2018-17360",
"CVE-2018-17794",
"CVE-2018-17985",
"CVE-2018-18309",
"CVE-2018-18483",
"CVE-2018-18484",
"CVE-2018-18605",
"CVE-2018-18606",
"CVE-2018-18607",
"CVE-2018-18700",
"CVE-2018-18701",
"CVE-2018-19932",
"CVE-2018-20002",
"CVE-2018-20623",
"CVE-2018-20651",
"CVE-2018-20671",
"CVE-2018-1000876",
"CVE-2019-9071",
"CVE-2019-9075",
"CVE-2019-9077",
"CVE-2019-12972",
"CVE-2019-17451",
"CVE-2020-16598",
"CVE-2020-35448",
"CVE-2020-35493",
"CVE-2020-35494",
"CVE-2020-35495",
"CVE-2020-35496",
"CVE-2020-35507",
"CVE-2021-3487",
"CVE-2021-20294",
"CVE-2021-45078",
"CVE-2022-38533",
"CVE-2023-1972",
"CVE-2023-25584",
"CVE-2023-25585",
"CVE-2023-25588"
);
script_name(english:"RHEL 8 : binutils (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 8 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- binutils: heap-based buffer overflow in finish_stab in stabs.c (CVE-2018-12699)
- binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump,
bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow
trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to
be exploitable via Local. This vulnerability appears to have been fixed in after commit
3a551c7a1b80fca579461774860574eabfd7f18f. (CVE-2018-1000876)
- The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as
distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab
entry with a SECTION type that has a 0 value, which allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.
(CVE-2018-10535)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12699");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:binutils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-toolset-10-binutils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-toolset-11-binutils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-toolset-12-binutils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-binutils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mingw-binutils");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'binutils', 'cves':['CVE-2018-6872', 'CVE-2018-12641', 'CVE-2018-12697', 'CVE-2018-12698', 'CVE-2018-12699', 'CVE-2018-12700', 'CVE-2018-12934', 'CVE-2018-17360', 'CVE-2018-17794', 'CVE-2018-17985', 'CVE-2018-18309', 'CVE-2018-18483', 'CVE-2018-18484', 'CVE-2018-18605', 'CVE-2018-18606', 'CVE-2018-18607', 'CVE-2018-18700', 'CVE-2018-18701', 'CVE-2018-19932', 'CVE-2018-20002', 'CVE-2018-20623', 'CVE-2018-20651', 'CVE-2018-20671', 'CVE-2018-1000876', 'CVE-2019-9071', 'CVE-2019-9075', 'CVE-2019-9077', 'CVE-2019-12972', 'CVE-2020-16598', 'CVE-2020-35493', 'CVE-2020-35494', 'CVE-2020-35495', 'CVE-2020-35496', 'CVE-2020-35507', 'CVE-2021-45078', 'CVE-2022-38533', 'CVE-2023-1972', 'CVE-2023-25584', 'CVE-2023-25585', 'CVE-2023-25588']},
{'reference':'gcc-toolset-10-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-toolset-10-binutils', 'cves':['CVE-2020-35448', 'CVE-2021-3487', 'CVE-2021-20294', 'CVE-2021-45078', 'CVE-2022-38533']},
{'reference':'gcc-toolset-11-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-toolset-11-binutils', 'cves':['CVE-2021-45078', 'CVE-2022-38533', 'CVE-2023-1972', 'CVE-2023-25584', 'CVE-2023-25585', 'CVE-2023-25588']},
{'reference':'gcc-toolset-12-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-toolset-12-binutils', 'cves':['CVE-2022-38533', 'CVE-2023-1972', 'CVE-2023-25584', 'CVE-2023-25585', 'CVE-2023-25588']},
{'reference':'gcc-toolset-9-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-toolset-9-binutils', 'cves':['CVE-2019-12972', 'CVE-2019-17451', 'CVE-2020-16598', 'CVE-2020-35493', 'CVE-2020-35494', 'CVE-2020-35495', 'CVE-2020-35496', 'CVE-2020-35507', 'CVE-2021-20294', 'CVE-2021-45078']},
{'reference':'mingw-binutils', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'mingw-binutils', 'cves':['CVE-2018-10535', 'CVE-2018-12641', 'CVE-2018-12697', 'CVE-2018-12698', 'CVE-2018-12699', 'CVE-2018-12700', 'CVE-2018-12934', 'CVE-2018-13033', 'CVE-2018-17358', 'CVE-2018-17360', 'CVE-2018-17794', 'CVE-2018-17985', 'CVE-2018-18309', 'CVE-2018-18483', 'CVE-2018-18484', 'CVE-2018-18605', 'CVE-2018-18606', 'CVE-2018-18607', 'CVE-2018-18700', 'CVE-2018-18701', 'CVE-2018-19932', 'CVE-2018-20002', 'CVE-2018-20623', 'CVE-2018-20651', 'CVE-2018-1000876']}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'binutils / gcc-toolset-10-binutils / gcc-toolset-11-binutils / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | gcc-toolset-11-binutils | p-cpe:/a:redhat:enterprise_linux:gcc-toolset-11-binutils |
redhat | enterprise_linux | gcc-toolset-9-binutils | p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-binutils |
redhat | enterprise_linux | gcc-toolset-12-binutils | p-cpe:/a:redhat:enterprise_linux:gcc-toolset-12-binutils |
redhat | enterprise_linux | gcc-toolset-10-binutils | p-cpe:/a:redhat:enterprise_linux:gcc-toolset-10-binutils |
redhat | enterprise_linux | binutils | p-cpe:/a:redhat:enterprise_linux:binutils |
redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
redhat | enterprise_linux | mingw-binutils | p-cpe:/a:redhat:enterprise_linux:mingw-binutils |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000876
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10535
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12641
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12697
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12698
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12699
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12700
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12934
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13033
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17358
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17360
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17794
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17985
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18309
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18483
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18484
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18605
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18606
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18607
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18700
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18701
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19932
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20002
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20623
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20651
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20671
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6872
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12972
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17451
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9071
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9075
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9077
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16598
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35448
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35493
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35494
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35495
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35496
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35507
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20294
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3487
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45078
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38533
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1972
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25584
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25585
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25588
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8 High
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.3%