VMSA-2008-0003 : Moderate: Updated aacraid driver and samba and python Service Console updates

2009-07-27T00:00:00
ID VMWARE_VMSA-2008-0003.NASL
Type nessus
Reporter This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.
Modified 2009-07-27T00:00:00

Description

I Updated ESX driver

a. Updated aacraid driver

   This patch fixes a flaw in how the aacraid SCSI driver checked
   IOCTL command permissions.  This flaw might allow a local user
   on the Service Console to cause a denial of service or gain
   privileges. Thanks to Adaptec for reporting this issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2007-4308 to this issue.

II Service Console package security updates

a. Samba

   Alin Rad Pop of Secunia Research found a stack-based buffer overflow
   flaw in the way Samba authenticates remote users.  A remote
   unauthenticated user could trigger this flaw to cause the Samba
   server to crash or to execute arbitrary code with the
   permissions of the Samba server.

   Note: This vulnerability can be exploited only if the attacker
         has access to the Service Console network.  The Samba
         client is installed by default in the Service Console, but
         the Samba server is not.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2007-6015 to this issue.

b. Python

   Chris Evans of the Google security research team discovered an
   integer overflow issue with the way Python's Perl-Compatible
   Regular Expression (PCRE) module handled certain regular
   expressions.  If a Python application used the PCRE module to
   compile and execute untrusted regular expressions, it might be
   possible to cause the application to crash, or to execute
   arbitrary code with the privileges of the Python interpreter.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2006-7228 to this issue.

   Piotr Engelking discovered a flaw in Python's locale module
   where strings generated by the strxfrm() function were not
   properly NUL-terminated.  This might result in disclosure of
   data stored in the memory of a Python application using the
   strxfrm() function.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2007-2052 to this issue.

   Slythers Bro reported multiple integer overflow flaws in
   Python's imageop module.  These could allow an attacker to cause
   a Python application to crash, enter an infinite loop, or
   possibly execute arbitrary code with the privileges of the
   Python interpreter.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2007-4965 to this issue.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2008-0003. 
# The text itself is copyright (C) VMware Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(40374);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2006-7228", "CVE-2007-2052", "CVE-2007-4308", "CVE-2007-4965", "CVE-2007-6015");
  script_bugtraq_id(23887, 25216, 25696, 26462, 26727, 26791);
  script_xref(name:"VMSA", value:"2008-0003");

  script_name(english:"VMSA-2008-0003 : Moderate: Updated aacraid driver and samba and python Service Console updates");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote VMware ESX host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"I  Updated ESX driver

    a. Updated aacraid driver

       This patch fixes a flaw in how the aacraid SCSI driver checked
       IOCTL command permissions.  This flaw might allow a local user
       on the Service Console to cause a denial of service or gain
       privileges. Thanks to Adaptec for reporting this issue.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-4308 to this issue.

II  Service Console package security updates

    a. Samba

       Alin Rad Pop of Secunia Research found a stack-based buffer overflow
       flaw in the way Samba authenticates remote users.  A remote
       unauthenticated user could trigger this flaw to cause the Samba
       server to crash or to execute arbitrary code with the
       permissions of the Samba server.

       Note: This vulnerability can be exploited only if the attacker
             has access to the Service Console network.  The Samba
             client is installed by default in the Service Console, but
             the Samba server is not.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-6015 to this issue.

    b. Python

       Chris Evans of the Google security research team discovered an
       integer overflow issue with the way Python's Perl-Compatible
       Regular Expression (PCRE) module handled certain regular
       expressions.  If a Python application used the PCRE module to
       compile and execute untrusted regular expressions, it might be
       possible to cause the application to crash, or to execute
       arbitrary code with the privileges of the Python interpreter.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2006-7228 to this issue.

       Piotr Engelking discovered a flaw in Python's locale module
       where strings generated by the strxfrm() function were not
       properly NUL-terminated.  This might result in disclosure of
       data stored in the memory of a Python application using the
       strxfrm() function.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-2052 to this issue.

       Slythers Bro reported multiple integer overflow flaws in
       Python's imageop module.  These could allow an attacker to cause
       a Python application to crash, enter an infinite loop, or
       possibly execute arbitrary code with the privileges of the
       Python interpreter.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-4965 to this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2008/000012.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(119, 189);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27");
  script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2008-02-04");
flag = 0;


if (esx_check(ver:"ESX 2.5.4", patch:"15")) flag++;

if (esx_check(ver:"ESX 2.5.5", patch:"4")) flag++;

if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1003347")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1003348")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1003350")) flag++;

if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1003359")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1003360")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1003362")) flag++;

if (
  esx_check(
    ver           : "ESX 3.5.0",
    patch         : "ESX350-200802406-SG",
    patch_updates : make_list("ESX350-200911212-UG", "ESX350-201002405-BG", "ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 3.5.0",
    patch         : "ESX350-200802408-SG",
    patch_updates : make_list("ESX350-201002402-SG", "ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 3.5.0",
    patch         : "ESX350-200802415-SG",
    patch_updates : make_list("ESX350-201008410-SG", "ESX350-201012408-SG", "ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a")
  )
) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");