8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.4%
The remote Ubuntu 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6620-1 advisory.
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer. (CVE-2023-6246)
An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer. (CVE-2023-6779)
An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer. (CVE-2023-6780)
Note that Nessus has not tested for these issues but has instead relied only on the applicationβs self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6620-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(189908);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/13");
script_cve_id("CVE-2023-6246", "CVE-2023-6779", "CVE-2023-6780");
script_xref(name:"USN", value:"6620-1");
script_name(english:"Ubuntu 23.10 : GNU C Library vulnerabilities (USN-6620-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
USN-6620-1 advisory.
- A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This
function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was
not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0])
is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue
affects glibc 2.36 and newer. (CVE-2023-6246)
- An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc
library. This function is called by the syslog and vsyslog functions. This issue occurs when these
functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the
buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and
newer. (CVE-2023-6779)
- An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is
called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very
long message, leading to an incorrect calculation of the buffer size to store the message, resulting in
undefined behavior. This issue affects glibc 2.37 and newer. (CVE-2023-6780)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6620-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-6246");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/30");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:glibc-source");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc-bin");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc-dev-bin");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc-devtools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-amd64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev-amd64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev-i386");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev-s390");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev-x32");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-i386");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-prof");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-s390");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-x32");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:locales");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:locales-all");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nscd");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '23.10', 'pkgname': 'glibc-source', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc-bin', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc-dev-bin', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc-devtools', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-amd64', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-dev', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-dev-amd64', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-dev-i386', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-dev-s390', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-dev-x32', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-i386', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-prof', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-s390', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'libc6-x32', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'locales', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'locales-all', 'pkgver': '2.38-1ubuntu6.1'},
{'osver': '23.10', 'pkgname': 'nscd', 'pkgver': '2.38-1ubuntu6.1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'glibc-source / libc-bin / libc-dev-bin / libc-devtools / libc6 / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 23.10 | cpe:/o:canonical:ubuntu_linux:23.10 |
canonical | ubuntu_linux | glibc-source | p-cpe:/a:canonical:ubuntu_linux:glibc-source |
canonical | ubuntu_linux | libc-bin | p-cpe:/a:canonical:ubuntu_linux:libc-bin |
canonical | ubuntu_linux | libc-dev-bin | p-cpe:/a:canonical:ubuntu_linux:libc-dev-bin |
canonical | ubuntu_linux | libc-devtools | p-cpe:/a:canonical:ubuntu_linux:libc-devtools |
canonical | ubuntu_linux | libc6 | p-cpe:/a:canonical:ubuntu_linux:libc6 |
canonical | ubuntu_linux | libc6-amd64 | p-cpe:/a:canonical:ubuntu_linux:libc6-amd64 |
canonical | ubuntu_linux | libc6-dev | p-cpe:/a:canonical:ubuntu_linux:libc6-dev |
canonical | ubuntu_linux | libc6-dev-amd64 | p-cpe:/a:canonical:ubuntu_linux:libc6-dev-amd64 |
canonical | ubuntu_linux | libc6-dev-i386 | p-cpe:/a:canonical:ubuntu_linux:libc6-dev-i386 |
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.4%