Lucene search
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-2602.NASLHistoryMar 24, 2021 - 12:00 a.m.
Debian DLA-2602-1 : imagemagick security update
2021-03-2400:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
18
7.1 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.1 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
48.4%
Multiple security vulnerabilities were found in Imagemagick. Missing or incomplete input sanitizing may lead to undefined behavior which can result in denial of service (application crash) or other unspecified impact.
For Debian 9 stretch, these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u12.
We recommend that you upgrade your imagemagick packages.
For the detailed security status of imagemagick please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2602-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include("compat.inc");
if (description)
{
script_id(148080);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/12");
script_cve_id("CVE-2020-25666", "CVE-2020-25675", "CVE-2020-25676", "CVE-2020-27754", "CVE-2020-27757", "CVE-2020-27758", "CVE-2020-27759", "CVE-2020-27761", "CVE-2020-27762", "CVE-2020-27764", "CVE-2020-27766", "CVE-2020-27767", "CVE-2020-27768", "CVE-2020-27769", "CVE-2020-27770", "CVE-2020-27771", "CVE-2020-27772", "CVE-2020-27774", "CVE-2020-27775", "CVE-2021-20176", "CVE-2021-20241", "CVE-2021-20244", "CVE-2021-20246");
script_xref(name:"IAVB", value:"2021-B-0017-S");
script_name(english:"Debian DLA-2602-1 : imagemagick security update");
script_summary(english:"Checks dpkg output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Multiple security vulnerabilities were found in Imagemagick. Missing
or incomplete input sanitizing may lead to undefined behavior which
can result in denial of service (application crash) or other
unspecified impact.
For Debian 9 stretch, these problems have been fixed in version
8:6.9.7.4+dfsg-11+deb9u12.
We recommend that you upgrade your imagemagick packages.
For the detailed security status of imagemagick please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://lists.debian.org/debian-lts-announce/2021/03/msg00030.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/stretch/imagemagick"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/source-package/imagemagick"
);
script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27766");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick-6-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick-6-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick-6.q16");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick-6.q16hdri");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libimage-magick-perl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libimage-magick-q16-perl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libimage-magick-q16hdri-perl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagick++-6-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagick++-6.q16-7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagick++-6.q16-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagick++-6.q16hdri-7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagick++-6.q16hdri-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagick++-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6-arch-config");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6.q16-3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6.q16-3-extra");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6.q16-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6.q16hdri-3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6.q16hdri-3-extra");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-6.q16hdri-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickcore-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickwand-6-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickwand-6.q16-3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickwand-6.q16-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickwand-6.q16hdri-3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickwand-6.q16hdri-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmagickwand-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:perlmagick");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/03");
script_set_attribute(attribute:"patch_publication_date", value:"2021/03/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/03/24");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"9.0", prefix:"imagemagick", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"imagemagick-6-common", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"imagemagick-6-doc", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"imagemagick-6.q16", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"imagemagick-6.q16hdri", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"imagemagick-common", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"imagemagick-doc", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libimage-magick-perl", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libimage-magick-q16-perl", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libimage-magick-q16hdri-perl", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagick++-6-headers", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagick++-6.q16-7", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagick++-6.q16-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagick++-6.q16hdri-7", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagick++-6.q16hdri-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagick++-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6-arch-config", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6-headers", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6.q16-3", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6.q16-3-extra", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6.q16-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6.q16hdri-3", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6.q16hdri-3-extra", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-6.q16hdri-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickcore-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickwand-6-headers", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickwand-6.q16-3", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickwand-6.q16-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickwand-6.q16hdri-3", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickwand-6.q16hdri-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"libmagickwand-dev", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (deb_check(release:"9.0", prefix:"perlmagick", reference:"8:6.9.7.4+dfsg-11+deb9u12")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | imagemagick | p-cpe:/a:debian:debian_linux:imagemagick |
| debian | debian_linux | imagemagick-6-common | p-cpe:/a:debian:debian_linux:imagemagick-6-common |
| debian | debian_linux | imagemagick-6-doc | p-cpe:/a:debian:debian_linux:imagemagick-6-doc |
| debian | debian_linux | imagemagick-6.q16 | p-cpe:/a:debian:debian_linux:imagemagick-6.q16 |
| debian | debian_linux | imagemagick-6.q16hdri | p-cpe:/a:debian:debian_linux:imagemagick-6.q16hdri |
| debian | debian_linux | imagemagick-common | p-cpe:/a:debian:debian_linux:imagemagick-common |
| debian | debian_linux | imagemagick-doc | p-cpe:/a:debian:debian_linux:imagemagick-doc |
| debian | debian_linux | libimage-magick-perl | p-cpe:/a:debian:debian_linux:libimage-magick-perl |
| debian | debian_linux | libimage-magick-q16-perl | p-cpe:/a:debian:debian_linux:libimage-magick-q16-perl |
| debian | debian_linux | libimage-magick-q16hdri-perl | p-cpe:/a:debian:debian_linux:libimage-magick-q16hdri-perl |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25666
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25675
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25676
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27754
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27757
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27758
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27759
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27761
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27762
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27764
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27766
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27767
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27769
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27770
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27771
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27772
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27774
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27775
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20176
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20241
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20244
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20246
lists.debian.org/debian-lts-announce/2021/03/msg00030.html
packages.debian.org/source/stretch/imagemagick
security-tracker.debian.org/tracker/source-package/imagemagick
Related
debian
debian
[SECURITY] [DLA 2602-1] imagemagick security update
2021-03-23 22:55:18
[SECURITY] [DLA 3357-1] imagemagick security update
2023-03-11 19:39:30
openvas
openvas
Debian: Security Advisory (DLA-2602-1)
2021-03-24 00:00:00
Ubuntu: Security Advisory (USN-4988-1)
2021-06-16 00:00:00
Huawei EulerOS: Security Advisory for ImageMagick (EulerOS-SA-2022-1536)
2022-04-25 00:00:00
osv
osv
imagemagick - security update
2021-03-22 00:00:00
imagemagick vulnerabilities
2021-06-15 11:11:56
imagemagick - security update
2023-03-11 00:00:00
ubuntu
ubuntu
ImageMagick vulnerabilities
2021-06-15 00:00:00
ImageMagick vulnerabilities
2022-03-18 00:00:00
nessus
nessus
Ubuntu 18.04 LTS / 20.04 LTS : ImageMagick vulnerabilities (USN-4988-1)
2021-06-15 00:00:00
EulerOS 2.0 SP5 : ImageMagick (EulerOS-SA-2022-1536)
2022-04-25 00:00:00
openSUSE Security Update : ImageMagick (openSUSE-2021-148)
2021-01-25 00:00:00
cloudfoundry
cloudfoundry
USN-4988-1: ImageMagick vulnerabilities | Cloud Foundry
2021-07-08 00:00:00
USN-5158-1: ImageMagick vulnerabilities | Cloud Foundry
2022-01-20 00:00:00
suse
suse
Security update for ImageMagick (moderate)
2021-01-22 00:00:00
Security update for ImageMagick (moderate)
2021-01-24 00:00:00
Security update for ImageMagick (moderate)
2021-03-03 00:00:00
mageia
mageia
Updated imagemagick packages fix security vulnerabilities
2021-03-27 17:27:02
ubuntucve
ubuntucve
nvd
nvd
cvelist
cvelist
prion
prion
Input validation
2020-12-03 17:15:00
Design/Logic Flaw
2020-12-04 15:15:00
Design/Logic Flaw
2020-12-08 22:15:00
debiancve
debiancve
veracode
veracode
Denial Of Service (DoS)
2020-12-06 04:01:21
Value Overflow
2020-12-06 04:00:49
Denial Of Service (DoS)
2020-12-06 04:01:25
redhatcve
redhatcve
cve
cve
freebsd
freebsd
ImageMagick7 -- multiple vulnerabilities
2020-10-27 00:00:00
alpinelinux
alpinelinux
CVE-2021-20241
2021-03-09 18:15:14
7.1 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.1 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
48.4%
Related for DEBIAN_DLA-2602.NASL