Lucene search
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.AL2023_ALAS2023-2024-539.NASLHistoryMar 06, 2024 - 12:00 a.m.
Amazon Linux 2023 : composer (ALAS2023-2024-539)
2024-03-0600:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
amazon linux 2023
composer
php dependency
arbitrary code execution
local privilege escalation
vulnerability
patch
root privilege escalation
cve-2024-24821
CVSS3
8.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
7.8
Confidence
Low
EPSS
0
Percentile
9.0%
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-539 advisory.
- Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar’s self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents ofvendor/composer/InstalledVersions.phpandvendor/composer/installed.phpdo not include untrusted code.
A reset can also be done on these files by the following:sh rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins(CVE-2024-24821)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2023 Security Advisory ALAS2023-2024-539.
##
include('compat.inc');
if (description)
{
script_id(191593);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/06");
script_cve_id("CVE-2024-24821");
script_name(english:"Amazon Linux 2023 : composer (ALAS2023-2024-539)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2023 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-539 advisory.
- Composer is a dependency Manager for the PHP language. In affected versions several files within the local
working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide
lateral user movement or malicious code execution when Composer is invoked within a directory with
tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The
following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer
on untrusted projects, Shared environments with developers who run Composer individually on the same
project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the
patched versions are applied at the earliest convenience. Where not possible, the following should be
addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and
avoid running Composer within an untrusted directory, or if needed, verify that the contents of
`vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code.
A reset can also be done on these files by the following:```sh rm vendor/composer/installed.php
vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins ``` (CVE-2024-24821)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2023/ALAS-2024-539.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2024-24821.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
script_set_attribute(attribute:"solution", value:
"Run 'dnf update composer --releasever 2023.3.20240304' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-24821");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/08");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:composer");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2023");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "-2023")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2023", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'composer-2.5.8-2.amzn2023.0.2', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "composer");
}Related
prion
prion
Design/Logic Flaw
2024-02-09 00:15:00
cvelist
cvelist
github
github
cve
cve
CVE-2024-24821
2024-02-09 00:15:08
osv
osv
composer - security update
2024-02-26 00:00:00
CVE-2024-24821
2024-02-09 00:15:08
php-composer2-2.7.1-1.1 on GA media
2024-06-15 00:00:00
openvas
openvas
openSUSE: Security Advisory for php (SUSE-SU-2024:0592-1)
2024-03-04 00:00:00
Debian: Security Advisory (DSA-5632-1)
2024-02-27 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:0592-1)
2024-02-23 00:00:00
alpinelinux
alpinelinux
CVE-2024-24821
2024-02-09 00:15:08
debian
debian
[SECURITY] [DSA 5632-1] composer security update
2024-03-15 09:05:51
redos
redos
ROS-20240329-03
2024-03-29 00:00:00
nessus
nessus
debiancve
debiancve
CVE-2024-24821
2024-02-09 00:15:08
veracode
veracode
Arbitrary Code Execution
2024-02-09 06:59:58
ubuntucve
ubuntucve
CVE-2024-24821
2024-02-09 00:00:00
nvd
nvd
CVE-2024-24821
2024-02-09 00:15:08
freebsd
freebsd
Composer -- Code execution and possible privilege escalation
2024-02-08 00:00:00
CVSS3
8.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
7.8
Confidence
Low
EPSS
0
Percentile
9.0%
Related for AL2023_ALAS2023-2024-539.NASL