Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-6715-1.NASL
HistoryMar 27, 2024 - 12:00 a.m.

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : unixODBC vulnerability (USN-6715-1)

2024-03-2700:00:00
Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11
ubuntu 16.04 lts
ubuntu 18.04 lts
ubuntu 20.04 lts
ubuntu 22.04 lts
ubuntu 23.10
unixodbc
stack write flaw
little-endian
big-endian
cve-2024-1013
vulnerability

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by a vulnerability as referenced in the USN-6715-1 advisory.

  • An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big- endian architectures can be broken. (CVE-2024-1013)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6715-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(192637);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/27");

  script_cve_id("CVE-2024-1013");
  script_xref(name:"USN", value:"6715-1");

  script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : unixODBC vulnerability (USN-6715-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by
a vulnerability as referenced in the USN-6715-1 advisory.

  - An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4
    bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-
    endian architectures can be broken. (CVE-2024-1013)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6715-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-1013");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libodbc1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libodbc2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libodbccr2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libodbcinst2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:odbcinst");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:odbcinst1debian2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:unixodbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:unixodbc-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:unixodbc-dev");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release || '23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 22.04 / 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '16.04', 'pkgname': 'libodbc1', 'pkgver': '2.3.1-4.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'odbcinst', 'pkgver': '2.3.1-4.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'odbcinst1debian2', 'pkgver': '2.3.1-4.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'unixodbc', 'pkgver': '2.3.1-4.1ubuntu0.1~esm2'},
    {'osver': '16.04', 'pkgname': 'unixodbc-dev', 'pkgver': '2.3.1-4.1ubuntu0.1~esm2'},
    {'osver': '18.04', 'pkgname': 'libodbc1', 'pkgver': '2.3.4-1.1ubuntu3+esm1'},
    {'osver': '18.04', 'pkgname': 'odbcinst', 'pkgver': '2.3.4-1.1ubuntu3+esm1'},
    {'osver': '18.04', 'pkgname': 'odbcinst1debian2', 'pkgver': '2.3.4-1.1ubuntu3+esm1'},
    {'osver': '18.04', 'pkgname': 'unixodbc', 'pkgver': '2.3.4-1.1ubuntu3+esm1'},
    {'osver': '18.04', 'pkgname': 'unixodbc-dev', 'pkgver': '2.3.4-1.1ubuntu3+esm1'},
    {'osver': '20.04', 'pkgname': 'libodbc1', 'pkgver': '2.3.6-0.1ubuntu0.1'},
    {'osver': '20.04', 'pkgname': 'odbcinst', 'pkgver': '2.3.6-0.1ubuntu0.1'},
    {'osver': '20.04', 'pkgname': 'odbcinst1debian2', 'pkgver': '2.3.6-0.1ubuntu0.1'},
    {'osver': '20.04', 'pkgname': 'unixodbc', 'pkgver': '2.3.6-0.1ubuntu0.1'},
    {'osver': '20.04', 'pkgname': 'unixodbc-dev', 'pkgver': '2.3.6-0.1ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'libodbc1', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'libodbc2', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'libodbccr2', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'libodbcinst2', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'odbcinst', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'odbcinst1debian2', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'unixodbc', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'unixodbc-common', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '22.04', 'pkgname': 'unixodbc-dev', 'pkgver': '2.3.9-5ubuntu0.1'},
    {'osver': '23.10', 'pkgname': 'libodbc2', 'pkgver': '2.3.12-1ubuntu0.23.10.1'},
    {'osver': '23.10', 'pkgname': 'libodbccr2', 'pkgver': '2.3.12-1ubuntu0.23.10.1'},
    {'osver': '23.10', 'pkgname': 'libodbcinst2', 'pkgver': '2.3.12-1ubuntu0.23.10.1'},
    {'osver': '23.10', 'pkgname': 'odbcinst', 'pkgver': '2.3.12-1ubuntu0.23.10.1'},
    {'osver': '23.10', 'pkgname': 'unixodbc', 'pkgver': '2.3.12-1ubuntu0.23.10.1'},
    {'osver': '23.10', 'pkgname': 'unixodbc-common', 'pkgver': '2.3.12-1ubuntu0.23.10.1'},
    {'osver': '23.10', 'pkgname': 'unixodbc-dev', 'pkgver': '2.3.12-1ubuntu0.23.10.1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libodbc1 / libodbc2 / libodbccr2 / libodbcinst2 / odbcinst / etc');
}
VendorProductVersionCPE
canonicalubuntu_linuxlibodbccr2p-cpe:/a:canonical:ubuntu_linux:libodbccr2
canonicalubuntu_linuxlibodbcinst2p-cpe:/a:canonical:ubuntu_linux:libodbcinst2
canonicalubuntu_linuxodbcinstp-cpe:/a:canonical:ubuntu_linux:odbcinst
canonicalubuntu_linuxodbcinst1debian2p-cpe:/a:canonical:ubuntu_linux:odbcinst1debian2
canonicalubuntu_linuxunixodbcp-cpe:/a:canonical:ubuntu_linux:unixodbc
canonicalubuntu_linuxunixodbc-commonp-cpe:/a:canonical:ubuntu_linux:unixodbc-common
canonicalubuntu_linuxunixodbc-devp-cpe:/a:canonical:ubuntu_linux:unixodbc-dev
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:lts
canonicalubuntu_linux18.04cpe:/o:canonical:ubuntu_linux:18.04:-:lts
canonicalubuntu_linux20.04cpe:/o:canonical:ubuntu_linux:20.04:-:lts
Rows per page:
1-10 of 141

Related

cbl_mariner 2
cve 1
ubuntu 2
redhatcve 1
nessus 5
cloudlinux 1
mageia 1
debiancve 1
openvas 3
osv 3
cvelist 1
cloudfoundry 1
ubuntucve 1
nvd 1
amazon 1
photon 3
cbl_mariner
cbl_mariner
CVE-2024-1013 affecting package unixODBC for versions less than 2.3.12-2
2024-06-21 09:32:44
CVE-2024-1013 affecting package unixODBC for versions less than 2.3.9-3
2024-03-28 19:04:04
cve
cve
CVE-2024-1013
2024-03-18 11:15:09
ubuntu
ubuntu
unixODBC vulnerability
2024-03-27 00:00:00
unixODBC vulnerability
2024-06-05 00:00:00
redhatcve
redhatcve
CVE-2024-1013
2024-03-18 10:51:39
nessus
nessus
RHEL 7 : unixodbc (Unpatched Vulnerability)
2024-05-11 00:00:00
Amazon Linux 2023 : unixODBC, unixODBC-devel (ALAS2023-2024-641)
2024-06-10 00:00:00
Ubuntu 24.04 LTS : unixODBC vulnerability (USN-6715-2)
2024-06-05 00:00:00
cloudlinux
cloudlinux
unixODBC: Fix of CVE-2024-1013
2024-04-04 20:29:35
mageia
mageia
Updated unixODBC packages fix security vulnerability
2024-04-01 22:50:27
debiancve
debiancve
CVE-2024-1013
2024-03-18 11:15:09
openvas
openvas
Ubuntu: Security Advisory (USN-6715-2)
2024-06-06 00:00:00
Ubuntu: Security Advisory (USN-6715-1)
2024-03-28 00:00:00
Mageia: Security Advisory (MGASA-2024-0106)
2024-04-05 00:00:00
osv
osv
unixodbc vulnerability
2024-06-05 13:17:14
unixodbc vulnerability
2024-03-27 20:38:24
CVE-2024-1013
2024-03-18 11:15:09
cvelist
cvelist
CVE-2024-1013 Unixodbc: out of bounds stack write due to pointer-to-integer types conversion
2024-03-18 10:53:02
cloudfoundry
cloudfoundry
USN-6715-1: unixODBC vulnerability | Cloud Foundry
2024-04-04 00:00:00
ubuntucve
ubuntucve
CVE-2024-1013
2024-03-18 00:00:00
nvd
nvd
CVE-2024-1013
2024-03-18 11:15:09
amazon
amazon
Medium: unixODBC
2024-06-06 20:17:00
photon
photon
Important Photon OS Security Update - PHSA-2024-3.0-0757
2024-05-03 00:00:00
Important Photon OS Security Update - PHSA-2024-4.0-0613
2024-05-18 00:00:00
Important Photon OS Security Update - PHSA-2024-5.0-0256
2024-04-24 00:00:00

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON
Related for UBUNTU_USN-6715-1.NASL
cbl_mariner2cve1ubuntu2redhatcve1nessus5cloudlinux1mageia1debiancve1openvas3osv3cvelist1cloudfoundry1ubuntucve1nvd1amazon1photon3