Vulners
Lucene search
TencentOS Server 4: glibc (TSSA-2024:0038)
| Reporter | Title | Published | Views | Family All 347 |
|---|---|---|---|---|
 | glibc ld.so Local Privilege Escalation Vulnerability | 8 Oct 202300:00 | – | zdt |
| Glibc Tunables Privilege Escalation Exploit | 21 Dec 202300:00 | – | zdt |
 | Exploit for Heap-based Buffer Overflow in Gnu Glibc | 4 Oct 202314:12 | – | githubexploit |
| Exploit for Heap-based Buffer Overflow in Gnu Glibc | 23 Dec 202311:54 | – | githubexploit |
| Exploit for Out-of-bounds Write in Netapp Bootstrap_Os | 11 Apr 202618:01 | – | githubexploit |
| Exploit for Heap-based Buffer Overflow in Gnu Glibc | 25 Oct 202311:59 | – | githubexploit |
| Exploit for Heap-based Buffer Overflow in Gnu Glibc | 14 Oct 202302:24 | – | githubexploit |
| Exploit for Out-of-bounds Write in Netapp Bootstrap_Os | 12 Mar 202611:52 | – | githubexploit |
| Exploit for Heap-based Buffer Overflow in Netapp Bootstrap_Os | 2 Mar 202607:19 | – | githubexploit |
| Exploit for Heap-based Buffer Overflow in Gnu Glibc | 4 Oct 202311:58 | – | githubexploit |
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2024:0038.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(238703);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/23");
script_cve_id(
"CVE-2023-4527",
"CVE-2023-4806",
"CVE-2023-4911",
"CVE-2023-5156"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/12/12");
script_name(english:"TencentOS Server 4: glibc (TSSA-2024:0038)");
script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0038 advisory.
Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:
CVE-2023-4527:
A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and
the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048
bytes can potentially disclose stack contents through the function returned address data, and may cause a
crash.
CVE-2023-4806:
A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that
has been freed, resulting in an application crash. This issue is only exploitable when a NSS module
implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the
_nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the
call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and
AI_V4MAPPED as flags.
CVE-2023-4911:
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the
GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted
GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with
elevated privileges.
CVE-2023-5156:
A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a
memory leak, which may result in an application crash.
Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20240038.xml");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4911");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/07");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:glibc");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tencent Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl");
script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");
exit(0);
}
include('rpm2.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);
if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);
var constraints = [
{
'release': '4',
'pkgs': [
{'reference':'glibc-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-all-langpacks-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-all-langpacks-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-benchtests-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-benchtests-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-benchtests-debuginfo-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-benchtests-debuginfo-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-common-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-common-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-common-debuginfo-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-common-debuginfo-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-debuginfo-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-debuginfo-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-debugsource-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-debugsource-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-devel-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-devel-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-locale-source-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-locale-source-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-nss-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-nss-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-nss-debuginfo-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-nss-debuginfo-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-nss-devel-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-nss-devel-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-utils-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-utils-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-utils-debuginfo-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'glibc-utils-debuginfo-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nscd-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nscd-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nscd-debuginfo-2.38-4.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nscd-debuginfo-2.38-4.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
]
}
];
var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');
var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
# Check that the target release is equal to the affected release
if (!empty_or_null(constraint['release'])){
if (constraint['release'] != os_release) continue;
}
if (!empty_or_null(constraint['sp'])){
if (constraint['sp'] != os_sp) continue;
}
foreach var pkg ( constraint['pkgs'] ) {
reference = NULL;
sp = NULL;
_cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
exists_check = NULL;
cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
## (no known rpm to check OR known rpm_exists)
(!exists_check || rpm_exists(rpm:exists_check)) &&
rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'glibc / glibc-all-langpacks / glibc-benchtests / etc');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Nov 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.17.8
EPSS0.6505
SSVC