Lucene search

K
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SYNOLOGY_CVE-2021-3156.NASL
HistoryOct 01, 2024 - 12:00 a.m.

Synology DiskStation Manager Sudo Off-by-one Error (CVE-2021-3156)

2024-10-0100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
6
synology diskstation manager
sudo
off-by-one error
cve-2021-3156
vulnerability
privilege escalation
heap-based buffer overflow
tenable.ot

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.963

Percentile

99.6%

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502412);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/10/01");

  script_cve_id("CVE-2021-3156");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/27");

  script_name(english:"Synology DiskStation Manager Sudo Off-by-one Error (CVE-2021-3156)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Sudo before 1.9.5p2 contains an off-by-one error that can result in a
heap-based buffer overflow, which allows privilege escalation to root
via sudoedit -s and a command-line argument that ends with a single
backslash character.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3fe83524");
  # http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2930b3c0");
  # http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aa683a6d");
  # http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2d70b4ff");
  # http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3a12c599");
  script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2021/Feb/42");
  script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2021/Jan/79");
  script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2024/Feb/3");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/01/26/3");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/01/27/1");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/01/27/2");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/02/15/1");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/09/14/2");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2024/01/30/6");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2024/01/30/8");
  script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html");
  # https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0bcad2eb");
  # https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ca4daa64");
  script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/202101-33");
  script_set_attribute(attribute:"see_also", value:"https://security.netapp.com/advisory/ntap-20210128-0001/");
  script_set_attribute(attribute:"see_also", value:"https://security.netapp.com/advisory/ntap-20210128-0002/");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/kb/HT212177");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5951990c");
  # https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e0fce02d");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2021/dsa-4839");
  script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/794544");
  script_set_attribute(attribute:"see_also", value:"https://www.openwall.com/lists/oss-security/2021/01/26/3");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com//security-alerts/cpujul2021.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2022.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuoct2021.html");
  script_set_attribute(attribute:"see_also", value:"https://www.sudo.ws/stable.html#1.9.5p2");
  script_set_attribute(attribute:"see_also", value:"https://www.synology.com/security/advisory/Synology_SA_21_02");
  script_set_attribute(attribute:"see_also", value:"https://www.vicarius.io/vsociety/posts/sudoedit-pwned-cve-2021-3156");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3156");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Sudo Heap-Based Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_cwe_id(193);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/01/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/01/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/10/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:synology:diskstation_manager");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Synology");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Synology');

var asset = tenable_ot::assets::get(vendor:'Synology');

var vuln_cpes = {
    "cpe:/a:synology:diskstation_manager" :
        {"versionEndExcluding" : "6.2.4-25554", "versionStartIncluding" : "6.2", "family" : "DiskStation"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

References

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.963

Percentile

99.6%