TencentOS Server 4: binutils (TSSA-2025:0612)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2025:0612.
##

include('compat.inc');

if (description)
{
  script_id(253507);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/04");

  script_cve_id("CVE-2025-0840", "CVE-2025-7545", "CVE-2025-7546");

  script_name(english:"TencentOS Server 4: binutils (TSSA-2025:0612)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0612 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2025-7546:
    A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by
    this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to
    out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed
    to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is
    recommended to apply a patch to fix this issue.

    CVE-2025-7545:
    A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability
    is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer
    overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be
    used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to
    fix this issue.

    CVE-2025-0840:
    A vulnerability, which was classified as problematic, was found in GNU Binutils up to 2.43. This affects
    the function disassemble_bytes of the file binutils/objdump.c. The manipulation of the argument buf leads
    to stack-based buffer overflow. It is possible to initiate the attack remotely. The complexity of an
    attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the
    public and may be used. Upgrading to version 2.44 is able to address this issue. The identifier of the
    patch is baac6c221e9d69335bf41366a1c7d87d8ab2f893. It is recommended to upgrade the affected component.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20250612.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-0840");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-7546");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2025-7546");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/08/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/08/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:binutils");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'binutils-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-debuginfo-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-debuginfo-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-debugsource-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-debugsource-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-devel-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-devel-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gold-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gold-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gold-debuginfo-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gold-debuginfo-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gprofng-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gprofng-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gprofng-debuginfo-2.41-17.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-gprofng-debuginfo-2.41-17.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'binutils-source-2.41-17.tl4', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'binutils / binutils-debuginfo / binutils-debugsource / etc');
}