The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6678-1 advisory.
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352. (CVE-2020-12278)
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353. (CVE-2020-12279)
libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check
field of libgit2’s git_remote_callbacks
structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking.
This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked. (CVE-2023-22742)
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to git_revparse_single
can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in src/libgit2/revparse.c
uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2. (CVE-2024-24575)
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to git_index_add
can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the has_dir_name
function in src/libgit2/index.c
, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2. (CVE-2024-24577)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6678-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(191559);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/06");
script_cve_id(
"CVE-2020-12278",
"CVE-2020-12279",
"CVE-2023-22742",
"CVE-2024-24575",
"CVE-2024-24577"
);
script_xref(name:"USN", value:"6678-1");
script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : libgit2 vulnerabilities (USN-6678-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by
multiple vulnerabilities as referenced in the USN-6678-1 advisory.
- An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent
filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when
cloning a repository. This issue is similar to CVE-2019-1352. (CVE-2020-12278)
- An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent
filenames that exist because of NTFS short names. This may allow remote code execution when cloning a
repository. This issue is similar to CVE-2019-1353. (CVE-2020-12279)
- libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the
optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of
libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks`
structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking.
This means that by default - without configuring a certificate check callback, clients will not perform
validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged
to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are
manually checked. (CVE-2023-22742)
- libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid
API, allowing to build Git functionality into your application. Using well-crafted inputs to
`git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of
Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop
to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to
force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the
extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not
affected. Users should upgrade to version 1.6.5 or 1.7.2. (CVE-2024-24575)
- libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid
API, allowing to build Git functionality into your application. Using well-crafted inputs to
`git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is
an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be
freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to
controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary
code execution. This issue has been patched in version 1.6.5 and 1.7.2. (CVE-2024-24577)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6678-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12279");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-24577");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/05");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgit2-1.1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgit2-1.5");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgit2-24");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgit2-26");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgit2-28");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgit2-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgit2-fixtures");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release || '23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 22.04 / 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '16.04', 'pkgname': 'libgit2-24', 'pkgver': '0.24.1-2ubuntu0.2+esm2'},
{'osver': '16.04', 'pkgname': 'libgit2-dev', 'pkgver': '0.24.1-2ubuntu0.2+esm2'},
{'osver': '18.04', 'pkgname': 'libgit2-26', 'pkgver': '0.26.0+dfsg.1-1.1ubuntu0.2+esm1'},
{'osver': '18.04', 'pkgname': 'libgit2-dev', 'pkgver': '0.26.0+dfsg.1-1.1ubuntu0.2+esm1'},
{'osver': '20.04', 'pkgname': 'libgit2-28', 'pkgver': '0.28.4+dfsg.1-2ubuntu0.1'},
{'osver': '20.04', 'pkgname': 'libgit2-dev', 'pkgver': '0.28.4+dfsg.1-2ubuntu0.1'},
{'osver': '22.04', 'pkgname': 'libgit2-1.1', 'pkgver': '1.1.0+dfsg.1-4.1ubuntu0.1'},
{'osver': '22.04', 'pkgname': 'libgit2-dev', 'pkgver': '1.1.0+dfsg.1-4.1ubuntu0.1'},
{'osver': '22.04', 'pkgname': 'libgit2-fixtures', 'pkgver': '1.1.0+dfsg.1-4.1ubuntu0.1'},
{'osver': '23.10', 'pkgname': 'libgit2-1.5', 'pkgver': '1.5.1+ds-1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libgit2-dev', 'pkgver': '1.5.1+ds-1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libgit2-fixtures', 'pkgver': '1.5.1+ds-1ubuntu1.1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libgit2-1.1 / libgit2-1.5 / libgit2-24 / libgit2-26 / libgit2-28 / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:lts |
canonical | ubuntu_linux | 18.04 | cpe:/o:canonical:ubuntu_linux:18.04:-:lts |
canonical | ubuntu_linux | 20.04 | cpe:/o:canonical:ubuntu_linux:20.04:-:lts |
canonical | ubuntu_linux | 22.04 | cpe:/o:canonical:ubuntu_linux:22.04:-:lts |
canonical | ubuntu_linux | 23.10 | cpe:/o:canonical:ubuntu_linux:23.10 |
canonical | ubuntu_linux | libgit2-1.1 | p-cpe:/a:canonical:ubuntu_linux:libgit2-1.1 |
canonical | ubuntu_linux | libgit2-1.5 | p-cpe:/a:canonical:ubuntu_linux:libgit2-1.5 |
canonical | ubuntu_linux | libgit2-24 | p-cpe:/a:canonical:ubuntu_linux:libgit2-24 |
canonical | ubuntu_linux | libgit2-26 | p-cpe:/a:canonical:ubuntu_linux:libgit2-26 |
canonical | ubuntu_linux | libgit2-28 | p-cpe:/a:canonical:ubuntu_linux:libgit2-28 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12278
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12279
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22742
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24575
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24577
ubuntu.com/security/notices/USN-6678-1