Debian DLA-1564-1 : mono security update

medium Nessus Plugin ID 118597

Synopsis

The remote Debian host is missing a security update.

Description

It was found that Mono’s string-to-double parser may crash, on specially crafted input. This could lead to arbitrary code execution.

CVE-2018-1002208: Mono embeds the sharplibzip library which is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

The Mono developers intend to entirely remove sharplibzip from the sources and do not plan to fix this issue. It is therefore recommended to fetch the latest sharplibzip version by using the nuget package manager instead. The embedded version should not be used with untrusted zip files.

For Debian 8 'Jessie', this problem has been fixed in version 3.2.8+dfsg-10+deb8u1.

We recommend that you upgrade your mono packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2018/11/msg00001.html

https://packages.debian.org/source/jessie/mono

Plugin Details

Severity: Medium

ID: 118597

File Name: debian_DLA-1564.nasl

Version: 1.3

Type: local

Agent: unix

Published: 11/2/2018

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libmono-2.0-1, p-cpe:/a:debian:debian_linux:libmono-2.0-dev, p-cpe:/a:debian:debian_linux:libmono-accessibility2.0-cil, p-cpe:/a:debian:debian_linux:libmono-accessibility4.0-cil, p-cpe:/a:debian:debian_linux:libmono-c5-1.1-cil, p-cpe:/a:debian:debian_linux:libmono-cairo2.0-cil, p-cpe:/a:debian:debian_linux:libmono-cairo4.0-cil, p-cpe:/a:debian:debian_linux:libmono-cecil-private-cil, p-cpe:/a:debian:debian_linux:libmono-cil-dev, p-cpe:/a:debian:debian_linux:libmono-codecontracts4.0-cil, p-cpe:/a:debian:debian_linux:libmono-compilerservices-symbolwriter4.0-cil, p-cpe:/a:debian:debian_linux:libmono-corlib2.0-cil, p-cpe:/a:debian:debian_linux:libmono-corlib4.0-cil, p-cpe:/a:debian:debian_linux:libmono-corlib4.5-cil, p-cpe:/a:debian:debian_linux:libmono-cscompmgd8.0-cil, p-cpe:/a:debian:debian_linux:libmono-csharp4.0c-cil, p-cpe:/a:debian:debian_linux:libmono-custommarshalers4.0-cil, p-cpe:/a:debian:debian_linux:libmono-data-tds2.0-cil, p-cpe:/a:debian:debian_linux:libmono-data-tds4.0-cil, p-cpe:/a:debian:debian_linux:libmono-db2-1.0-cil, p-cpe:/a:debian:debian_linux:libmono-messaging4.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-build-engine4.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-build-framework4.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-build-tasks-v4.0-4.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-build-utilities-v4.0-4.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-build2.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-build4.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-csharp4.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-visualc10.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft-web-infrastructure1.0-cil, p-cpe:/a:debian:debian_linux:libmono-microsoft8.0-cil, p-cpe:/a:debian:debian_linux:libmono-npgsql2.0-cil, p-cpe:/a:debian:debian_linux:libmono-npgsql4.0-cil, p-cpe:/a:debian:debian_linux:libmono-opensystem-c4.0-cil, p-cpe:/a:debian:debian_linux:libmono-oracle2.0-cil, p-cpe:/a:debian:debian_linux:libmono-oracle4.0-cil, p-cpe:/a:debian:debian_linux:libmono-parallel4.0-cil, p-cpe:/a:debian:debian_linux:libmono-peapi2.0a-cil, p-cpe:/a:debian:debian_linux:libmono-peapi4.0a-cil, p-cpe:/a:debian:debian_linux:libmono-posix2.0-cil, p-cpe:/a:debian:debian_linux:libmono-posix4.0-cil, p-cpe:/a:debian:debian_linux:libmono-profiler, p-cpe:/a:debian:debian_linux:libmono-rabbitmq2.0-cil, p-cpe:/a:debian:debian_linux:libmono-rabbitmq4.0-cil, p-cpe:/a:debian:debian_linux:libmono-relaxng2.0-cil, p-cpe:/a:debian:debian_linux:libmono-relaxng4.0-cil, p-cpe:/a:debian:debian_linux:libmono-security2.0-cil, p-cpe:/a:debian:debian_linux:libmono-security4.0-cil, p-cpe:/a:debian:debian_linux:libmono-sharpzip2.6-cil, p-cpe:/a:debian:debian_linux:libmono-sharpzip2.84-cil, p-cpe:/a:debian:debian_linux:libmono-sharpzip4.84-cil, p-cpe:/a:debian:debian_linux:libmono-simd2.0-cil, p-cpe:/a:debian:debian_linux:libmono-simd4.0-cil, p-cpe:/a:debian:debian_linux:libmono-sqlite2.0-cil, p-cpe:/a:debian:debian_linux:libmono-sqlite4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-componentmodel-composition4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-componentmodel-dataannotations4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-configuration-install4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-configuration4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-core4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data-datasetextensions4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data-linq2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data-linq4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data-services-client4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data-services2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data-services4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-data4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-design4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-drawing-design4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-drawing4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-dynamic4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-enterpriseservices4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-identitymodel-selectors4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-identitymodel4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-io-compression-filesystem4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-io-compression4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-json-microsoft4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-json2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-json4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-ldap-protocols4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-ldap2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-ldap4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-management4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-messaging2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-messaging4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-net-http-formatting4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-net-http-webrequest4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-net-http4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-net2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-net4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-numerics4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-core2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-debugger2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-experimental2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-interfaces2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-linq2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-observable-aliases0.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-platformservices2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-providers2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-runtime-remoting2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-windows-forms2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-reactive-windows-threading2.2-cil, p-cpe:/a:debian:debian_linux:libmono-system-runtime-caching4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-runtime-durableinstancing4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-runtime-serialization-formatters-soap4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-runtime-serialization4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-runtime2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-runtime4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-security4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-servicemodel-activation4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-servicemodel-discovery4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-servicemodel-routing4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-servicemodel-web4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-servicemodel4.0a-cil, p-cpe:/a:debian:debian_linux:libmono-system-serviceprocess4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-threading-tasks-dataflow4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-transactions4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-abstractions4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-applicationservices4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-dynamicdata4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-extensions-design4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-extensions4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-http-selfhost4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-http-webhost4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-http4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-mvc1.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-mvc2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-mvc3.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-razor2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-routing4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-services4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-webpages-deployment2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-webpages-razor2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web-webpages2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-web4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-windows-forms-datavisualization4.0a-cil, p-cpe:/a:debian:debian_linux:libmono-system-windows-forms4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-windows4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-xaml4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-xml-linq4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-xml-serialization4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system-xml4.0-cil, p-cpe:/a:debian:debian_linux:libmono-system2.0-cil, p-cpe:/a:debian:debian_linux:libmono-system4.0-cil, p-cpe:/a:debian:debian_linux:libmono-tasklets2.0-cil, p-cpe:/a:debian:debian_linux:libmono-tasklets4.0-cil, p-cpe:/a:debian:debian_linux:libmono-wcf3.0a-cil, p-cpe:/a:debian:debian_linux:libmono-web4.0-cil, p-cpe:/a:debian:debian_linux:libmono-webbrowser2.0-cil, p-cpe:/a:debian:debian_linux:libmono-webbrowser4.0-cil, p-cpe:/a:debian:debian_linux:libmono-webmatrix-data4.0-cil, p-cpe:/a:debian:debian_linux:libmono-windowsbase3.0-cil, p-cpe:/a:debian:debian_linux:libmono-windowsbase4.0-cil, p-cpe:/a:debian:debian_linux:libmono-winforms2.0-cil, p-cpe:/a:debian:debian_linux:libmono-xbuild-tasks2.0-cil, p-cpe:/a:debian:debian_linux:libmono-xbuild-tasks4.0-cil, p-cpe:/a:debian:debian_linux:libmono2.0-cil, p-cpe:/a:debian:debian_linux:libmonoboehm-2.0-1, p-cpe:/a:debian:debian_linux:libmonoboehm-2.0-1-dbg, p-cpe:/a:debian:debian_linux:libmonoboehm-2.0-dev, p-cpe:/a:debian:debian_linux:libmonosgen-2.0-1, p-cpe:/a:debian:debian_linux:libmonosgen-2.0-1-dbg, p-cpe:/a:debian:debian_linux:libmonosgen-2.0-dev, p-cpe:/a:debian:debian_linux:mono-2.0-gac, p-cpe:/a:debian:debian_linux:mono-2.0-service, p-cpe:/a:debian:debian_linux:mono-4.0-gac, p-cpe:/a:debian:debian_linux:mono-4.0-service, p-cpe:/a:debian:debian_linux:mono-complete, p-cpe:/a:debian:debian_linux:mono-csharp-shell, p-cpe:/a:debian:debian_linux:mono-dbg, p-cpe:/a:debian:debian_linux:mono-devel, p-cpe:/a:debian:debian_linux:mono-dmcs, p-cpe:/a:debian:debian_linux:mono-gac, p-cpe:/a:debian:debian_linux:mono-gmcs, p-cpe:/a:debian:debian_linux:mono-jay, p-cpe:/a:debian:debian_linux:mono-mcs, p-cpe:/a:debian:debian_linux:mono-runtime, p-cpe:/a:debian:debian_linux:mono-runtime-boehm, p-cpe:/a:debian:debian_linux:mono-runtime-common, p-cpe:/a:debian:debian_linux:mono-runtime-dbg, p-cpe:/a:debian:debian_linux:mono-runtime-sgen, p-cpe:/a:debian:debian_linux:mono-utils, p-cpe:/a:debian:debian_linux:mono-xbuild, p-cpe:/a:debian:debian_linux:monodoc-base, p-cpe:/a:debian:debian_linux:monodoc-manual, cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:libmono-debugger-soft2.0a-cil, p-cpe:/a:debian:debian_linux:libmono-debugger-soft4.0a-cil, p-cpe:/a:debian:debian_linux:libmono-entityframework-sqlserver6.0-cil, p-cpe:/a:debian:debian_linux:libmono-entityframework6.0-cil, p-cpe:/a:debian:debian_linux:libmono-http4.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n-cjk4.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n-mideast4.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n-other4.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n-rare4.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n-west2.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n-west4.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n2.0-cil, p-cpe:/a:debian:debian_linux:libmono-i18n4.0-all, p-cpe:/a:debian:debian_linux:libmono-i18n4.0-cil, p-cpe:/a:debian:debian_linux:libmono-ldap2.0-cil, p-cpe:/a:debian:debian_linux:libmono-ldap4.0-cil, p-cpe:/a:debian:debian_linux:libmono-management2.0-cil, p-cpe:/a:debian:debian_linux:libmono-management4.0-cil, p-cpe:/a:debian:debian_linux:libmono-messaging-rabbitmq2.0-cil, p-cpe:/a:debian:debian_linux:libmono-messaging-rabbitmq4.0-cil, p-cpe:/a:debian:debian_linux:libmono-messaging2.0-cil

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 11/1/2018

Reference Information

CVE: CVE-2009-0689

BID: 35510, 36565, 36851, 37078, 37080, 37687, 37688

CWE: 119