Lucene search

K

Huawei EulerOS: Security Advisory for libvpx (EulerOS-SA-2021-1814)

๐Ÿ—“๏ธย 03 May 2021ย 00:00:00Reported byย Copyright (C) 2021 Greenbone AGTypeย 
openvas
ย openvas
๐Ÿ”—ย plugins.openvas.org๐Ÿ‘ย 13ย Views

The Huawei EulerOS 'libvpx' package is missing an update to fix multiple vulnerabilities, leading to denial of service, information disclosure, and potential sensitive memory contents disclosure

Show more
Related
Refs
Code
# SPDX-FileCopyrightText: 2021 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.2.2021.1814");
  script_cve_id("CVE-2017-0393", "CVE-2018-9349", "CVE-2019-9433");
  script_tag(name:"creation_date", value:"2021-05-03 06:22:09 +0000 (Mon, 03 May 2021)");
  script_version("2024-02-05T14:36:56+0000");
  script_tag(name:"last_modification", value:"2024-02-05 14:36:56 +0000 (Mon, 05 Feb 2024)");
  script_tag(name:"cvss_base", value:"7.1");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2019-09-30 14:48:14 +0000 (Mon, 30 Sep 2019)");

  script_name("Huawei EulerOS: Security Advisory for libvpx (EulerOS-SA-2021-1814)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2021 Greenbone AG");
  script_family("Huawei EulerOS Local Security Checks");
  script_dependencies("gb_huawei_euleros_consolidation.nasl");
  script_mandatory_keys("ssh/login/euleros", "ssh/login/rpms", re:"ssh/login/release=EULEROS\-2\.0SP3");

  script_xref(name:"Advisory-ID", value:"EulerOS-SA-2021-1814");
  script_xref(name:"URL", value:"https://developer.huaweicloud.com/intl/en-us/euleros/securitydetail.html?secId=EulerOS-SA-2021-1814");

  script_tag(name:"summary", value:"The remote host is missing an update for the Huawei EulerOS 'libvpx' package(s) announced via the EulerOS-SA-2021-1814 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"A denial of service vulnerability in libvpx in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1. Android ID: A-30436808.(CVE-2017-0393)

In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354(CVE-2019-9433)

libvpx contains an out-of-bounds read flaw in the vp8_mv_bit_cost() and mv_err_cost() functions in vp8/encoder/mcomp.c that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose sensitive memory contents.(CVE-2018-9349)");

  script_tag(name:"affected", value:"'libvpx' package(s) on Huawei EulerOS V2.0SP3.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "EULEROS-2.0SP3") {

  if(!isnull(res = isrpmvuln(pkg:"libvpx", rpm:"libvpx~1.3.0~5.h4", rls:"EULEROS-2.0SP3"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
03 May 2021 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS24.3
CVSS36.5
EPSS0.034
SSVC
13
.json
Report