Security Fix(es) :
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#
include("compat.inc");
if (description)
{
script_id(109849);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24");
script_cve_id("CVE-2018-1111");
script_xref(name:"IAVA", value:"2018-A-0162");
script_name(english:"Scientific Linux Security Update : dhcp on SL6.x i386/x86_64 (20180515)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Scientific Linux host is missing one or more security
updates."
);
script_set_attribute(
attribute:"description",
value:
"Security Fix(es) :
- A command injection flaw was found in the NetworkManager
integration script included in the DHCP client packages
in Scientific Linux. A malicious DHCP server, or an
attacker on the local network able to spoof DHCP
responses, could use this flaw to execute arbitrary
commands with root privileges on systems using
NetworkManager and configured to obtain network
configuration using the DHCP protocol. (CVE-2018-1111)"
);
# https://listserv.fnal.gov/scripts/wa.exe?A2=ind1805&L=scientific-linux-errata&F=&S=&P=19977
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?875d7ff3"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'DHCP Client Command Injection (DynoRoot)');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dhclient");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dhcp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dhcp-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dhcp-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dhcp-devel");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/17");
script_set_attribute(attribute:"patch_publication_date", value:"2018/05/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Scientific Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
flag = 0;
if (rpm_check(release:"SL6", reference:"dhclient-4.1.1-53.P1.el6_9.4")) flag++;
if (rpm_check(release:"SL6", reference:"dhcp-4.1.1-53.P1.el6_9.4")) flag++;
if (rpm_check(release:"SL6", reference:"dhcp-common-4.1.1-53.P1.el6_9.4")) flag++;
if (rpm_check(release:"SL6", reference:"dhcp-debuginfo-4.1.1-53.P1.el6_9.4")) flag++;
if (rpm_check(release:"SL6", reference:"dhcp-devel-4.1.1-53.P1.el6_9.4")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dhclient / dhcp / dhcp-common / dhcp-debuginfo / dhcp-devel");
}
Vendor | Product | Version | CPE |
---|---|---|---|
fermilab | scientific_linux | dhclient | p-cpe:/a:fermilab:scientific_linux:dhclient |
fermilab | scientific_linux | dhcp | p-cpe:/a:fermilab:scientific_linux:dhcp |
fermilab | scientific_linux | dhcp-common | p-cpe:/a:fermilab:scientific_linux:dhcp-common |
fermilab | scientific_linux | dhcp-debuginfo | p-cpe:/a:fermilab:scientific_linux:dhcp-debuginfo |
fermilab | scientific_linux | dhcp-devel | p-cpe:/a:fermilab:scientific_linux:dhcp-devel |
fermilab | scientific_linux | x-cpe:/o:fermilab:scientific_linux |