VMSA-2008-0003 : Moderate: Updated aacraid driver and samba and python Service Console updates

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2008-0003. 
# The text itself is copyright (C) VMware Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(40374);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2006-7228", "CVE-2007-2052", "CVE-2007-4308", "CVE-2007-4965", "CVE-2007-6015");
  script_bugtraq_id(23887, 25216, 25696, 26462, 26727, 26791);
  script_xref(name:"VMSA", value:"2008-0003");

  script_name(english:"VMSA-2008-0003 : Moderate: Updated aacraid driver and samba and python Service Console updates");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote VMware ESX host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"I  Updated ESX driver

    a. Updated aacraid driver

       This patch fixes a flaw in how the aacraid SCSI driver checked
       IOCTL command permissions.  This flaw might allow a local user
       on the Service Console to cause a denial of service or gain
       privileges. Thanks to Adaptec for reporting this issue.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-4308 to this issue.

II  Service Console package security updates

    a. Samba

       Alin Rad Pop of Secunia Research found a stack-based buffer overflow
       flaw in the way Samba authenticates remote users.  A remote
       unauthenticated user could trigger this flaw to cause the Samba
       server to crash or to execute arbitrary code with the
       permissions of the Samba server.

       Note: This vulnerability can be exploited only if the attacker
             has access to the Service Console network.  The Samba
             client is installed by default in the Service Console, but
             the Samba server is not.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-6015 to this issue.

    b. Python

       Chris Evans of the Google security research team discovered an
       integer overflow issue with the way Python's Perl-Compatible
       Regular Expression (PCRE) module handled certain regular
       expressions.  If a Python application used the PCRE module to
       compile and execute untrusted regular expressions, it might be
       possible to cause the application to crash, or to execute
       arbitrary code with the privileges of the Python interpreter.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2006-7228 to this issue.

       Piotr Engelking discovered a flaw in Python's locale module
       where strings generated by the strxfrm() function were not
       properly NUL-terminated.  This might result in disclosure of
       data stored in the memory of a Python application using the
       strxfrm() function.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-2052 to this issue.

       Slythers Bro reported multiple integer overflow flaws in
       Python's imageop module.  These could allow an attacker to cause
       a Python application to crash, enter an infinite loop, or
       possibly execute arbitrary code with the privileges of the
       Python interpreter.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-4965 to this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2008/000012.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(119, 189);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27");
  script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2008-02-04");
flag = 0;


if (esx_check(ver:"ESX 2.5.4", patch:"15")) flag++;

if (esx_check(ver:"ESX 2.5.5", patch:"4")) flag++;

if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1003347")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1003348")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1003350")) flag++;

if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1003359")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1003360")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1003362")) flag++;

if (
  esx_check(
    ver           : "ESX 3.5.0",
    patch         : "ESX350-200802406-SG",
    patch_updates : make_list("ESX350-200911212-UG", "ESX350-201002405-BG", "ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 3.5.0",
    patch         : "ESX350-200802408-SG",
    patch_updates : make_list("ESX350-201002402-SG", "ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 3.5.0",
    patch         : "ESX350-200802415-SG",
    patch_updates : make_list("ESX350-201008410-SG", "ESX350-201012408-SG", "ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a")
  )
) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");