7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.017 Low
EPSS
Percentile
87.8%
The version of rust installed on the remote host is prior to 1.56.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1816 advisory.
In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked. (CVE-2020-36323)
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls
__iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. (CVE-2021-28876)
In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. (CVE-2021-28878)
In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.
(CVE-2021-28879)
In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. (CVE-2021-31162)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1816.
##
include('compat.inc');
if (description)
{
script_id(163234);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/17");
script_cve_id(
"CVE-2020-36323",
"CVE-2021-28876",
"CVE-2021-28878",
"CVE-2021-28879",
"CVE-2021-31162"
);
script_name(english:"Amazon Linux 2 : rust (ALAS-2022-1816)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of rust installed on the remote host is prior to 1.56.1-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2022-1816 advisory.
- In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause
uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its
length is checked. (CVE-2020-36323)
- In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls
__iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in
certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement
for the TrustedRandomAccess trait. (CVE-2021-28876)
- In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked()
more than once for the same index (under certain conditions) when next_back() and next() are used
together. This bug could lead to a memory safety violation due to an unmet safety requirement for the
TrustedRandomAccess trait. (CVE-2021-28878)
- In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to
an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.
(CVE-2021-28879)
- In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if
freeing the element panics. (CVE-2021-31162)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2022-1816.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-36323.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-28876.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-28878.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-28879.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-31162.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update rust' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-31162");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/11");
script_set_attribute(attribute:"patch_publication_date", value:"2022/07/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cargo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cargo-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:clippy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rls");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-analysis");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-debugger-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-gdb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-src");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-std-static");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rustfmt");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
var os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'cargo-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cargo-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cargo-doc-1.56.1-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'clippy-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'clippy-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rls-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rls-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-analysis-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-analysis-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debugger-common-1.56.1-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debuginfo-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debuginfo-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-doc-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-doc-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-gdb-1.56.1-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-src-1.56.1-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-std-static-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-std-static-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rustfmt-1.56.1-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rustfmt-1.56.1-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var release = NULL;
var sp = NULL;
var cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cargo / cargo-doc / clippy / etc");
}
Vendor | Product | Version | CPE |
---|---|---|---|
amazon | linux | cargo | p-cpe:/a:amazon:linux:cargo |
amazon | linux | cargo-doc | p-cpe:/a:amazon:linux:cargo-doc |
amazon | linux | clippy | p-cpe:/a:amazon:linux:clippy |
amazon | linux | rls | p-cpe:/a:amazon:linux:rls |
amazon | linux | rust | p-cpe:/a:amazon:linux:rust |
amazon | linux | rust-analysis | p-cpe:/a:amazon:linux:rust-analysis |
amazon | linux | rust-debugger-common | p-cpe:/a:amazon:linux:rust-debugger-common |
amazon | linux | rust-debuginfo | p-cpe:/a:amazon:linux:rust-debuginfo |
amazon | linux | rust-doc | p-cpe:/a:amazon:linux:rust-doc |
amazon | linux | rust-gdb | p-cpe:/a:amazon:linux:rust-gdb |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36323
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28876
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28878
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28879
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31162
alas.aws.amazon.com/AL2/ALAS-2022-1816.html
alas.aws.amazon.com/cve/html/CVE-2020-36323.html
alas.aws.amazon.com/cve/html/CVE-2021-28876.html
alas.aws.amazon.com/cve/html/CVE-2021-28878.html
alas.aws.amazon.com/cve/html/CVE-2021-28879.html
alas.aws.amazon.com/cve/html/CVE-2021-31162.html
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.017 Low
EPSS
Percentile
87.8%