CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
53.3%
According to the versions of the OpenEXR package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h. (CVE-2020-11758)
An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer. (CVE-2020-11759)
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp. (CVE-2020-11760)
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. (CVE-2020-11761)
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.
(CVE-2020-11762)
An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. (CVE-2020-11763)
An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp. (CVE-2020-11764)
An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. (CVE-2020-11765)
An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp. (CVE-2020-15305)
An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp. (CVE-2020-15306)
A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR’s IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.
(CVE-2021-20296)
An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
(CVE-2021-23215)
An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215. (CVE-2021-26260)
There’s a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability. (CVE-2021-3474)
There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability. (CVE-2021-3475)
A flaw was found in OpenEXR’s B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability. (CVE-2021-3476)
There’s a flaw in OpenEXR’s deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability. (CVE-2021-3477)
There’s a flaw in OpenEXR’s scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability. (CVE-2021-3478)
There’s a flaw in OpenEXR’s Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability. (CVE-2021-3479)
There’s a flaw in OpenEXR’s ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability. (CVE-2021-3598)
There’s a flaw in OpenEXR’s rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability. (CVE-2021-3605)
An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits.
This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths. (CVE-2021-3933)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(165850);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/10");
script_cve_id(
"CVE-2020-11758",
"CVE-2020-11759",
"CVE-2020-11760",
"CVE-2020-11761",
"CVE-2020-11762",
"CVE-2020-11763",
"CVE-2020-11764",
"CVE-2020-11765",
"CVE-2020-15305",
"CVE-2020-15306",
"CVE-2021-3474",
"CVE-2021-3475",
"CVE-2021-3476",
"CVE-2021-3477",
"CVE-2021-3478",
"CVE-2021-3479",
"CVE-2021-3598",
"CVE-2021-3605",
"CVE-2021-3933",
"CVE-2021-20296",
"CVE-2021-23215",
"CVE-2021-26260"
);
script_name(english:"EulerOS 2.0 SP8 : OpenEXR (EulerOS-SA-2022-2475)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the OpenEXR package installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :
- An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in
ImfOptimizedPixelReading.h. (CVE-2020-11758)
- An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in
CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write
to an out-of-bounds pointer. (CVE-2020-11759)
- An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression
in rleUncompress in ImfRle.cpp. (CVE-2020-11760)
- An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman
uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. (CVE-2020-11761)
- An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in
DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.
(CVE-2020-11762)
- An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as
demonstrated by ImfTileOffsets.cpp. (CVE-2020-11763)
- An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in
ImfMisc.cpp. (CVE-2020-11764)
- An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read
function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read. (CVE-2020-11765)
- An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in
DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp. (CVE-2020-15305)
- An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer
overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp. (CVE-2020-15306)
- A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker,
that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL
pointer dereference. The highest threat from this vulnerability is to system availability.
(CVE-2021-20296)
- An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in
versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
(CVE-2021-23215)
- An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in
versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This
is a different flaw from CVE-2021-23215. (CVE-2021-26260)
- There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR
could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application
availability. (CVE-2021-3474)
- There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be
processed by OpenEXR could cause an integer overflow, potentially leading to problems with application
availability. (CVE-2021-3475)
- A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker
who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting
application availability. (CVE-2021-3476)
- There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker
who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow,
subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application
availability. (CVE-2021-3477)
- There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker
able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The
greatest impact of this flaw is to system availability. (CVE-2021-3478)
- There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is
able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory,
resulting in an impact to system availability. (CVE-2021-3479)
- There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker
who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds
read. The greatest risk from this flaw is to application availability. (CVE-2021-3598)
- There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is
able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The
greatest risk from this flaw is to application availability. (CVE-2021-3605)
- An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits.
This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with
application stability or lead to other attack paths. (CVE-2021-3933)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-2475
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?35e2d207");
script_set_attribute(attribute:"solution", value:
"Update the affected OpenEXR packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3476");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-3933");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
script_set_attribute(attribute:"patch_publication_date", value:"2022/10/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:OpenEXR-libs");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
var flag = 0;
var pkgs = [
"OpenEXR-libs-2.2.0-15.h3.eulerosv2r8"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenEXR");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11758
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11759
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11760
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11761
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11762
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11763
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11764
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11765
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15306
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20296
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23215
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26260
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3474
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3475
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3476
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3477
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3478
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3479
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3598
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3605
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933
www.nessus.org/u?35e2d207
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
53.3%