CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
46.4%
The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:4040-1 advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2023:4040-1. The text itself
# is copyright (C) SUSE.
##
include('compat.inc');
if (description)
{
script_id(182899);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/14");
script_cve_id("CVE-2023-4091");
script_xref(name:"SuSE", value:"SUSE-SU-2023:4040-1");
script_xref(name:"IAVA", value:"2023-A-0535");
script_name(english:"SUSE SLES12 Security Update : samba (SUSE-SU-2023:4040-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced
in the SUSE-SU-2023:4040-1 advisory.
- The SMB protocol allows opening files where the client requests read-only access, but then implicitly
truncating the opened file if the client specifies a separate OVERWRITE create disposition. This operation
requires write access to the file, and in the default Samba configuration the operating system kernel will
deny access to open a read-only file for read/write (which the truncate operation requires). However, when
Samba has been configured to ignore kernel file system permissions, Samba will truncate a file when the
underlying operating system kernel would deny the operation. Affected Samba configurations are the ones
where kernel file-system permission checks are bypassed, relying on Samba's own permission enforcement.
The error is that this check is done against the client request for read-only access, and not the
implicitly requested read-write (for truncate) one. The widely used Samba VFS module acl_xattr when
configured with the module configuration parameter acl_xattr:ignore system acls = yes is the only
upstream Samba module that allows this behavior and is the only known method of reproducing this security
flaw. If (as is the default) the module configuration parameter acl_xattr:ignore system acls=no, then
the Samba server is not vulnerable to this attack. (CVE-2023-4091)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1215904");
# https://lists.suse.com/pipermail/sle-security-updates/2023-October/016619.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?458de42d");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-4091");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4091");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/10");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ctdb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsamba-policy-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsamba-policy-python3-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsamba-policy0-python3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsamba-policy0-python3-32bit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-client");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-client-32bit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-client-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-client-libs-32bit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-devel-32bit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-ldb-ldap");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-libs-32bit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-libs-python3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-libs-python3-32bit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-python3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-tool");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-winbind");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-winbind-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:samba-winbind-libs-32bit");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12|SLES_SAP12)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12 / SLES_SAP12', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP12 SP5", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'libsamba-policy-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'libsamba-policy-python3-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'libsamba-policy0-python3-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'libsamba-policy0-python3-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-client-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-client-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-client-libs-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-client-libs-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-devel-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'cpu':'aarch64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-doc-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-ldb-ldap-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-libs-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-libs-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-libs-python3-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-libs-python3-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-python3-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-tool-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-winbind-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-winbind-libs-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'samba-winbind-libs-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
{'reference':'ctdb-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.5']},
{'reference':'libsamba-policy-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},
{'reference':'libsamba-policy-python3-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},
{'reference':'samba-devel-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},
{'reference':'samba-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},
{'reference':'libsamba-policy0-python3-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'libsamba-policy0-python3-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-client-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-client-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-client-libs-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-client-libs-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-devel-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'cpu':'aarch64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-doc-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-ldb-ldap-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-libs-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-libs-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-libs-python3-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-libs-python3-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-python3-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-tool-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-winbind-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-winbind-libs-32bit-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
{'reference':'samba-winbind-libs-4.15.13+git.625.ac658f2f12-3.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ctdb / libsamba-policy-devel / libsamba-policy-python3-devel / etc');
}
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
46.4%