EulerOS Virtualization 2.5.0 : glibc (EulerOS-SA-2018-1344)

High Nessus Plugin ID 118432

Synopsis

The remote EulerOS Virtualization host is missing multiple security updates.

Description

According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

- The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.(CVE-2014-9402)

- A stack overflow vulnerability was found in
_nss_dns_getnetbyname_r.On systems with nsswitch configured to include 'networks: dns' with a privileged or network-facing service that would attempt to resolve user-provided network names, an attacker could provide an excessively long network name, resulting in stack corruption and code execution.(CVE-2016-3075)

- stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.(CVE-2018-11236)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected glibc packages.

See Also

http://www.nessus.org/u?5c190a3e

Plugin Details

Severity: High

ID: 118432

File Name: EulerOS_SA-2018-1344.nasl

Version: 1.2

Type: local

Published: 2018/10/26

Modified: 2018/11/13

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:glibc, p-cpe:/a:huawei:euleros:glibc-common, p-cpe:/a:huawei:euleros:glibc-devel, p-cpe:/a:huawei:euleros:glibc-headers, p-cpe:/a:huawei:euleros:nscd, cpe:/o:huawei:euleros:uvp:2.5.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2018/10/15

Reference Information

CVE: CVE-2014-9402, CVE-2016-3075, CVE-2018-11236

BID: 71670