[oss-security] 20180517 Qualys Security Advisory - Procps-ng Audit Report

104214

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1123

[debian-lts-announce] 20180531 [SECURITY] [DLA 1390-1] procps security update

GLSA-201805-14

USN-3658-1

USN-3658-3

DSA-4208

44806

https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

This update for procps fixes the following security issues :

  - CVE-2018-1122: Prevent local privilege escalation in     top. If a user ran top with HOME unset in an     attacker-controlled directory, the attacker could have     achieved privilege escalation by exploiting one of     several vulnerabilities in the config_file() function     (bsc#1092100).

  - CVE-2018-1123: Prevent denial of service in ps via mmap     buffer overflow. Inbuilt protection in ps maped a guard     page at the end of the overflowed buffer, ensuring that     the impact of this flaw is limited to a crash (temporary     denial of service) (bsc#1092100).

  - CVE-2018-1124: Prevent multiple integer overflows     leading to a heap corruption in file2strvec function.
    This allowed a privilege escalation for a local attacker     who can create entries in procfs by starting processes,     which could result in crashes or arbitrary code     execution in proc utilities run by other users     (bsc#1092100).

  - CVE-2018-1125: Prevent stack-based buffer overflow in     pgrep. This vulnerability was mitigated by FORTIFY     limiting the impact to a crash (bsc#1092100).

  - CVE-2018-1126: Ensure correct integer size in     proc/alloc.* to prevent truncation/integer overflow     issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also the following non-security issue was fixed :

  - Fix CPU summary showing old data. (bsc#1121753)

This update was imported from the SUSE:SLE-12:Update update project.

This update for procps fixes the following security issues :

CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).

CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).

CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).

CVE-2018-1125: Prevent stack-based buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).

CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also 

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the procps package has been released.

This update for procps fixes the following security issues :

CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).

CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).

CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).

CVE-2018-1125: Prevent stack-based buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).

CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the procps-ng package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - If the HOME environment variable is unset or empty, top     will read its configuration file from the current     working directory without any security check. If a user     runs top with HOME unset in an attacker-controlled     directory, the attacker could achieve privilege     escalation by exploiting one of several vulnerabilities     in the config_file() function.(CVE-2018-1122)

  - Due to incorrect accounting when decoding and escaping     Unicode data in procfs, ps is vulnerable to overflowing     an mmap()ed region when formatting the process list for     display. Since ps maps a guard page at the end of the     buffer, impact is limited to a crash.(CVE-2018-1123)

  - If an argument longer than INT_MAX bytes is given to     pgrep, 'int bytes' could wrap around back to a large     positive int (rather than approaching zero), leading to     a stack buffer overflow via strncat().(CVE-2018-1125)

  - procps-ng, procps: Integer overflows leading to heap     overflow in file2strvec (CVE-2018-1124)

  - procps-ng, procps: incorrect integer size in     proc/alloc.* leading to truncation / integer overflow     issues (CVE-2018-1126)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the procps-ng package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - If the HOME environment variable is unset or empty, top     will read its configuration file from the current     working directory without any security check. If a user     runs top with HOME unset in an attacker-controlled     directory, the attacker could achieve privilege     escalation by exploiting one of several vulnerabilities     in the config_file() function.(CVE-2018-1122)

  - Due to incorrect accounting when decoding and escaping     Unicode data in procfs, ps is vulnerable to overflowing     an mmap()ed region when formatting the process list for     display. Since ps maps a guard page at the end of the     buffer, impact is limited to a crash.(CVE-2018-1123)

  - If an argument longer than INT_MAX bytes is given to     pgrep, 'int bytes' could wrap around back to a large     positive int (rather than approaching zero), leading to     a stack buffer overflow via strncat().(CVE-2018-1125)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of 'procps-ng', 'openssl', 'perl' packages of Photon OS has been released.

According to the versions of the procps-ng package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - If the HOME environment variable is unset or empty, top     will read its configuration file from the current     working directory without any security check. If a user     runs top with HOME unset in an attacker-controlled     directory, the attacker could achieve privilege     escalation by exploiting one of several vulnerabilities     in the config_file() function.(CVE-2018-1122)

  - Due to incorrect accounting when decoding and escaping     Unicode data in procfs, ps is vulnerable to overflowing     an mmap()ed region when formatting the process list for     display. Since ps maps a guard page at the end of the     buffer, impact is limited to a crash.(CVE-2018-1123)

  - If an argument longer than INT_MAX bytes is given to     pgrep, 'int bytes' could wrap around back to a large     positive int (rather than approaching zero), leading to     a stack buffer overflow via strncat().(CVE-2018-1125)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for procps fixes the following security issues :

  - CVE-2018-1122: Prevent local privilege escalation in     top. If a user ran top with HOME unset in an     attacker-controlled directory, the attacker could have     achieved privilege escalation by exploiting one of     several vulnerabilities in the config_file() function     (bsc#1092100).

  - CVE-2018-1123: Prevent denial of service in ps via mmap     buffer overflow. Inbuilt protection in ps maped a guard     page at the end of the overflowed buffer, ensuring that     the impact of this flaw is limited to a crash (temporary     denial of service) (bsc#1092100).

  - CVE-2018-1124: Prevent multiple integer overflows     leading to a heap corruption in file2strvec function.
    This allowed a privilege escalation for a local attacker     who can create entries in procfs by starting processes,     which could result in crashes or arbitrary code     execution in proc utilities run by other users     (bsc#1092100).

  - CVE-2018-1125: Prevent stack-based buffer overflow in     pgrep. This vulnerability was mitigated by FORTIFY     limiting the impact to a crash (bsc#1092100).

  - CVE-2018-1126: Ensure correct integer size in     proc/alloc.* to prevent truncation/integer overflow     issues (bsc#1092100).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the procps-ng package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - procps-ng, procps: Integer overflows leading to heap     overflow in file2strvec (CVE-2018-1124)

  - procps-ng, procps: incorrect integer size in     proc/alloc.* leading to truncation / integer overflow     issues (CVE-2018-1126)

  - If the HOME environment variable is unset or empty, top     will read its configuration file from the current     working directory without any security check. If a user     runs top with HOME unset in an attacker-controlled     directory, the attacker could achieve privilege     escalation by exploiting one of several vulnerabilities     in the config_file() function.(CVE-2018-1122)

  - Due to incorrect accounting when decoding and escaping     Unicode data in procfs, ps is vulnerable to overflowing     an mmap()ed region when formatting the process list for     display. Since ps maps a guard page at the end of the     buffer, impact is limited to a crash.(CVE-2018-1123)

  - If an argument longer than INT_MAX bytes is given to     pgrep, 'int bytes' could wrap around back to a large     positive int (rather than approaching zero), leading to     a stack buffer overflow via strncat().(CVE-2018-1125)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for procps fixes the following security issues :

  - CVE-2018-1122: Prevent local privilege escalation in     top. If a user ran top with HOME unset in an     attacker-controlled directory, the attacker could have     achieved privilege escalation by exploiting one of     several vulnerabilities in the config_file() function     (bsc#1092100).

  - CVE-2018-1123: Prevent denial of service in ps via mmap     buffer overflow. Inbuilt protection in ps maped a guard     page at the end of the overflowed buffer, ensuring that     the impact of this flaw is limited to a crash (temporary     denial of service) (bsc#1092100).

  - CVE-2018-1124: Prevent multiple integer overflows     leading to a heap corruption in file2strvec function.
    This allowed a privilege escalation for a local attacker     who can create entries in procfs by starting processes,     which could result in crashes or arbitrary code     execution in proc utilities run by other users     (bsc#1092100).

  - CVE-2018-1125: Prevent stack-based buffer overflow in     pgrep. This vulnerability was mitigated by FORTIFY     limiting the impact to a crash (bsc#1092100).

  - CVE-2018-1126: Ensure correct integer size in     proc/alloc.* to prevent truncation/integer overflow     issues (bsc#1092100).

This update was imported from the SUSE:SLE-12:Update update project.

The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems :

CVE-2018-1122

top read its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation.

CVE-2018-1123

Denial of service against the ps invocation of another user.

CVE-2018-1124

An integer overflow in the file2strvec() function of libprocps could result in local privilege escalation.

CVE-2018-1125

A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process.

CVE-2018-1126

Incorrect integer size parameters used in wrappers for standard C allocators could cause integer truncation and lead to integer overflow issues.

For Debian 7 'Wheezy', these problems have been fixed in version 1:3.3.3-3+deb7u1.

We recommend that you upgrade your procps packages.

The Debian LTS team would like to thank Abhijith PA for preparing this update.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201805-14 (procps: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in procps. Please review       the CVE identifiers referenced below for details.
  Impact :

    A local attacker could execute arbitrary code, escalate privileges, or       cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

It was discovered that the procps-ng top utility incorrectly read its configuration file from the current working directory. A local attacker could possibly use this issue to escalate privileges.
(CVE-2018-1122)

It was discovered that the procps-ng ps tool incorrectly handled memory. A local user could possibly use this issue to cause a denial of service. (CVE-2018-1123)

It was discovered that libprocps incorrectly handled the file2strvec() function. A local attacker could possibly use this to execute arbitrary code. (CVE-2018-1124)

It was discovered that the procps-ng pgrep utility incorrectly handled memory. A local attacker could possibly use this issue to cause de denial of service. (CVE-2018-1125)

It was discovered that procps-ng incorrectly handled memory. A local attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2018-1126).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2018-1122     top read its configuration from the current working     directory if no $HOME was configured. If top were     started from a directory writable by the attacker (such     as /tmp) this could result in local privilege     escalation.

  - CVE-2018-1123     Denial of service against the ps invocation of another     user.

  - CVE-2018-1124     An integer overflow in the file2strvec() function of     libprocps could result in local privilege escalation.

  - CVE-2018-1125     A stack-based buffer overflow in pgrep could result in     denial of service for a user using pgrep for inspecting     a specially crafted process.

  - CVE-2018-1126     Incorrect integer size parameters used in wrappers for     standard C allocators could cause integer truncation and     lead to integer overflow issues.

New procps-ng packages are available for Slackware 14.2 and -current to fix security issues.

ID	Name	Product	Family	Severity
122607	openSUSE Security Update : procps (openSUSE-2019-291)	Nessus	SuSE Local Security Checks	high
122361	SUSE SLED12 / SLES12 Security Update : procps (SUSE-SU-2019:0450-1)	Nessus	SuSE Local Security Checks	high
121983	Photon OS 2.0: Procps PHSA-2018-2.0-0084	Nessus	PhotonOS Local Security Checks	high
121877	Photon OS 1.0: Procps PHSA-2018-1.0-0175	Nessus	PhotonOS Local Security Checks	high
119211	SUSE SLED12 / SLES12 Security Update : procps (SUSE-SU-2018:2451-2)	Nessus	SuSE Local Security Checks	high
118428	EulerOS Virtualization 2.5.0 : procps-ng (EulerOS-SA-2018-1340)	Nessus	Huawei Local Security Checks	high
118414	EulerOS Virtualization 2.5.1 : procps-ng (EulerOS-SA-2018-1326)	Nessus	Huawei Local Security Checks	medium
112035	Photon OS 2.0: Openssl / Procps-ng / Perl PHSA-2018-2.0-0084 (deprecated)	Nessus	PhotonOS Local Security Checks	high
111650	EulerOS 2.0 SP3 : procps-ng (EulerOS-SA-2018-1230)	Nessus	Huawei Local Security Checks	medium
111264	SUSE SLES11 Security Update : procps (SUSE-SU-2018:2042-1)	Nessus	SuSE Local Security Checks	high
110862	EulerOS 2.0 SP2 : procps-ng (EulerOS-SA-2018-1198)	Nessus	Huawei Local Security Checks	high
110830	openSUSE Security Update : procps (openSUSE-2018-685)	Nessus	SuSE Local Security Checks	high
110804	SUSE SLED12 / SLES12 Security Update : procps (SUSE-SU-2018:1836-1)	Nessus	SuSE Local Security Checks	high
110312	Debian DLA-1390-1 : procps security update	Nessus	Debian Local Security Checks	high
110255	GLSA-201805-14 : procps: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
110094	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : procps vulnerabilities (USN-3658-1)	Nessus	Ubuntu Local Security Checks	high
109969	Debian DSA-4208-1 : procps - security update	Nessus	Debian Local Security Checks	high
109950	Slackware 14.2 / current : procps-ng (SSA:2018-142-03)	Nessus	Slackware Local Security Checks	high

CVE-2018-1123

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins