TencentOS Server 4: pcs (TSSA-2026:0318)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2026:0318.
##

include('compat.inc');

if (description)
{
  script_id(318553);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/03");

  script_cve_id(
    "CVE-2026-22860",
    "CVE-2026-25500",
    "CVE-2026-26961",
    "CVE-2026-34230",
    "CVE-2026-34763",
    "CVE-2026-34786",
    "CVE-2026-34826",
    "CVE-2026-34827",
    "CVE-2026-34829",
    "CVE-2026-34830"
  );

  script_name(english:"TencentOS Server 4: pcs (TSSA-2026:0318)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0318 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2026-34830:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6,
    Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a
    regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not
    escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and
    control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-
    redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal
    locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

    CVE-2026-34829:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6,
    Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a
    multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer
    encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the
    uploaded body is written directly to a temporary file on disk rather than being constrained by the
    buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large
    multipart file upload and consume unbounded disk space. This results in a denial of service condition for
    Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21,
    and 3.2.6.

    CVE-2026-34827:
    Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to
    before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-
    Disposition: form-data; name=... using repeated String#index searches combined with String#slice! prefix
    deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker
    can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter
    values to trigger excessive CPU usage during multipart parsing. This results in a denial of service
    condition in Rack applications that accept multipart form data. This issue has been patched in versions
    3.1.21 and 3.2.6.

    CVE-2026-34826:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6,
    Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte
    ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the
    file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges
    such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per
    request. This results in a denial of service condition in Rack file-serving paths that process multipart
    byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

    CVE-2026-34786:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6,
    Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO,
    while the underlying file-serving path is decoded before the file is served. As a result, a request for a
    URL-encoded variant of a static path can serve the same file without the headers that header_rules were
    intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers
    to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the
    path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

    CVE-2026-34763:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory
    interpolates the configured root path directly into a regular expression when deriving the displayed
    directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail
    and the generated directory listing may expose the full filesystem path in the HTML output. This issue has
    been patched in versions 2.2.23, 3.1.21, and 3.2.6.

    CVE-2026-34230:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6,
    Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the
    header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a
    response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding
    header and cause disproportionate CPU consumption on the compression middleware path. This results in a
    denial of service condition for applications using Rack::Deflater. This issue has been patched in versions
    2.2.23, 3.1.21, and 3.2.6.

    CVE-2026-26961:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6,
    Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular
    expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one
    rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first
    boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream
    inspection and have Rack parse a different body structure than the intermediary validated. This issue has
    been patched in versions 2.2.23, 3.1.21, and 3.2.6.

    CVE-2026-25500:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5,
    `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link.
    If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`),
    the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry
    executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix
    the issue.

    CVE-2026-22860:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5,
    `Rack::Directory`s path check used a string prefix match on the expanded path. A request like
    `/../root_example/` can escape the configured root if the target path starts with the root string,
    allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20260318.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-34830");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/02/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:pcs");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'pcs-0.11.5-22.tl4.ap.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pcs-0.11.5-22.tl4.ap.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pcs-snmp-0.11.5-22.tl4.ap.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pcs-snmp-0.11.5-22.tl4.ap.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pcs / pcs-snmp');
}