3.3 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:P/A:P
7.3 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
0.001 Low
EPSS
Percentile
38.0%
The version of rust installed on the remote host is prior to 1.61.0-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1817 advisory.
std::fs::remove_dir_all
standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn’t otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don’t have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions. (CVE-2022-21658)Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1817.
##
include('compat.inc');
if (description)
{
script_id(163238);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/17");
script_cve_id("CVE-2022-21658");
script_name(english:"Amazon Linux 2 : rust (ALAS-2022-1817)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of rust installed on the remote host is prior to 1.61.0-2. It is, therefore, affected by a vulnerability as
referenced in the ALAS2-2022-1817 advisory.
- Rust is a multi-paradigm, general-purpose programming language designed for performance and safety,
especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all`
standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker
could use this security issue to trick a privileged program into deleting files and directories the
attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this
vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs
to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before
version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible,
especially people developing programs expected to run in privileged contexts (including system daemons and
setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in
your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be
vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended
outside of race conditions. (CVE-2022-21658)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2022-1817.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-21658.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update rust' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-21658");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/20");
script_set_attribute(attribute:"patch_publication_date", value:"2022/07/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cargo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cargo-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:clippy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rls");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-analysis");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-debugger-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-gdb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-src");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rust-std-static");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rustfmt");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
var os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'cargo-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cargo-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cargo-doc-1.61.0-2.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'clippy-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'clippy-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rls-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rls-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-analysis-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-analysis-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debugger-common-1.61.0-2.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debuginfo-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debuginfo-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-doc-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-doc-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-gdb-1.61.0-2.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-src-1.61.0-2.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-std-static-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-std-static-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rustfmt-1.61.0-2.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rustfmt-1.61.0-2.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var release = NULL;
var sp = NULL;
var cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cargo / cargo-doc / clippy / etc");
}
Vendor | Product | Version | CPE |
---|---|---|---|
amazon | linux | cargo | p-cpe:/a:amazon:linux:cargo |
amazon | linux | cargo-doc | p-cpe:/a:amazon:linux:cargo-doc |
amazon | linux | clippy | p-cpe:/a:amazon:linux:clippy |
amazon | linux | rls | p-cpe:/a:amazon:linux:rls |
amazon | linux | rust | p-cpe:/a:amazon:linux:rust |
amazon | linux | rust-analysis | p-cpe:/a:amazon:linux:rust-analysis |
amazon | linux | rust-debugger-common | p-cpe:/a:amazon:linux:rust-debugger-common |
amazon | linux | rust-debuginfo | p-cpe:/a:amazon:linux:rust-debuginfo |
amazon | linux | rust-doc | p-cpe:/a:amazon:linux:rust-doc |
amazon | linux | rust-gdb | p-cpe:/a:amazon:linux:rust-gdb |
3.3 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:P/A:P
7.3 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
0.001 Low
EPSS
Percentile
38.0%