The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2022:2314-1 advisory.
imtcp
, imptcp
, imgssapi
, and imhttp
are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module imdiag
is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability. (CVE-2022-24903)Note that Nessus has not tested for this issue but has instead relied only on the applicationβs self-reported version number.
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:2314-1. The text itself
# is copyright (C) SUSE.
##
include('compat.inc');
if (description)
{
script_id(162946);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/14");
script_cve_id("CVE-2022-24903");
script_xref(name:"SuSE", value:"SUSE-SU-2022:2314-1");
script_name(english:"SUSE SLES12 Security Update : rsyslog (SUSE-SU-2022:2314-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced
in the SUSE-SU-2022:2314-1 advisory.
- Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap
buffer overflow when octet-counted framing is used. This can result in a segfault or some other
malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But
there may still be a slight chance for experts to do that. The bug occurs when the octet count is read.
While there is a check for the maximum number of octets, digits are written to a heap buffer even when the
octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence
of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote
exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing
modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`,
`imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to
directly expose them to the public. When this practice is followed, the risk is considerably lower. Module
`imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present
on any production installation. Octet-counted framing is not very common. Usually, it needs to be
specifically enabled at senders. If users do not need it, they can turn it off for the most important
modules. This will mitigate the vulnerability. (CVE-2022-24903)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1051798");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1068678");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1080238");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1082318");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1101642");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1110456");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1160414");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1178288");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1178490");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1182653");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1188039");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1199061");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-24903");
# https://lists.suse.com/pipermail/sle-security-updates/2022-July/011439.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a69b1558");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-24903");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/06");
script_set_attribute(attribute:"patch_publication_date", value:"2022/07/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-diag-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-gssapi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-gtls");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-mmnormalize");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-pgsql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-relp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-snmp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:rsyslog-module-udpspoof");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12|SLES_SAP12)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12 / SLES_SAP12', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP12 SP5", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'rsyslog-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-diag-tools-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-doc-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-gssapi-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-gtls-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-mmnormalize-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-mysql-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-pgsql-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-relp-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-snmp-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-module-udpspoof-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'rsyslog-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-diag-tools-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-doc-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-gssapi-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-gtls-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-mmnormalize-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-mysql-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-pgsql-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-relp-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-snmp-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'rsyslog-module-udpspoof-8.2106.0-8.5.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'rsyslog / rsyslog-diag-tools / rsyslog-doc / rsyslog-module-gssapi / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | suse_linux | rsyslog-module-pgsql | p-cpe:/a:novell:suse_linux:rsyslog-module-pgsql |
novell | suse_linux | rsyslog-module-relp | p-cpe:/a:novell:suse_linux:rsyslog-module-relp |
novell | suse_linux | rsyslog-module-snmp | p-cpe:/a:novell:suse_linux:rsyslog-module-snmp |
novell | suse_linux | rsyslog-module-udpspoof | p-cpe:/a:novell:suse_linux:rsyslog-module-udpspoof |
novell | suse_linux | 12 | cpe:/o:novell:suse_linux:12 |
novell | suse_linux | rsyslog | p-cpe:/a:novell:suse_linux:rsyslog |
novell | suse_linux | rsyslog-diag-tools | p-cpe:/a:novell:suse_linux:rsyslog-diag-tools |
novell | suse_linux | rsyslog-doc | p-cpe:/a:novell:suse_linux:rsyslog-doc |
novell | suse_linux | rsyslog-module-gssapi | p-cpe:/a:novell:suse_linux:rsyslog-module-gssapi |
novell | suse_linux | rsyslog-module-gtls | p-cpe:/a:novell:suse_linux:rsyslog-module-gtls |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24903
www.nessus.org/u?a69b1558
bugzilla.suse.com/1051798
bugzilla.suse.com/1068678
bugzilla.suse.com/1080238
bugzilla.suse.com/1082318
bugzilla.suse.com/1101642
bugzilla.suse.com/1110456
bugzilla.suse.com/1160414
bugzilla.suse.com/1178288
bugzilla.suse.com/1178490
bugzilla.suse.com/1182653
bugzilla.suse.com/1188039
bugzilla.suse.com/1199061
www.suse.com/security/cve/CVE-2022-24903