Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : ZeroMQ vulnerabilities (USN-4920-1)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4920-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(183116);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/16");

  script_cve_id(
    "CVE-2019-13132",
    "CVE-2020-15166",
    "CVE-2021-20234",
    "CVE-2021-20235",
    "CVE-2021-20237"
  );
  script_xref(name:"USN", value:"4920-1");

  script_name(english:"Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : ZeroMQ vulnerabilities (USN-4920-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has packages installed that are affected by multiple
vulnerabilities as referenced in the USN-4920-1 advisory.

  - In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated
    client connecting to a libzmq application, running with a socket listening with CURVE
    encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data,
    due to a buffer overflow in the library. Users running public servers with the above configuration are
    highly encouraged to upgrade as soon as possible, as there are no known mitigations. (CVE-2019-13132)

  - In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport
    public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected
    to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange
    any message. Handshakes complete successfully, and messages are delivered to the library, but the server
    application never receives them. This is patched in version 4.3.3. (CVE-2020-15166)

  - An uncontrolled resource consumption (memory leak) flaw was found in the ZeroMQ client in versions before
    4.3.3 in src/pipe.cpp. This issue causes a client that connects to multiple malicious or compromised
    servers to crash. The highest threat from this vulnerability is to system availability. (CVE-2021-20234)

  - There's a flaw in the zeromq server in versions before 4.3.3 in src/decoder_allocators.hpp. The decoder
    static allocator could have its sized changed, but the buffer would remain the same as it is a static
    buffer. A remote, unauthenticated attacker who sends a crafted request to the zeromq server could trigger
    a buffer overflow WRITE of arbitrary data if CURVE/ZAP authentication is not enabled. The greatest impact
    of this flaw is to application availability, data integrity, and confidentiality. (CVE-2021-20235)

  - An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions
    before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume
    excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service.
    The highest threat from this vulnerability is to system availability. (CVE-2021-20237)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4920-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected libzmq3-dev and / or libzmq5 packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-13132");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/06/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libzmq3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libzmq3-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libzmq5");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '16.04', 'pkgname': 'libzmq3-dev', 'pkgver': '4.1.4-7ubuntu0.1+esm2'},
    {'osver': '16.04', 'pkgname': 'libzmq5', 'pkgver': '4.1.4-7ubuntu0.1+esm2'},
    {'osver': '18.04', 'pkgname': 'libzmq3-dev', 'pkgver': '4.2.5-1ubuntu0.2+esm2'},
    {'osver': '18.04', 'pkgname': 'libzmq5', 'pkgver': '4.2.5-1ubuntu0.2+esm2'},
    {'osver': '20.04', 'pkgname': 'libzmq3-dev', 'pkgver': '4.3.2-2ubuntu1.20.04.1~esm2'},
    {'osver': '20.04', 'pkgname': 'libzmq5', 'pkgver': '4.3.2-2ubuntu1.20.04.1~esm2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libzmq3-dev / libzmq5');
}