7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The version of helm / cert-manager installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-26147 advisory.
index.yaml
file or a plugins plugin.yaml
file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the LoadIndexFile
or DownloadIndexFile
functions in the repo
package or the LoadDir
function in the plugin
package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use recover
to catch the panic. (CVE-2024-26147)Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(201703);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/03");
script_cve_id("CVE-2024-26147");
script_name(english:"CBL Mariner 2.0 Security Update: helm / cert-manager (CVE-2024-26147)");
script_set_attribute(attribute:"synopsis", value:
"The remote CBL Mariner host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of helm / cert-manager installed on the remote CBL Mariner 2.0 host is prior to tested version. It is,
therefore, affected by a vulnerability as referenced in the CVE-2024-26147 advisory.
- Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized
variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either
an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in
Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in
the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts
functions around adding a repository and all Helm functions if a malicious plugin is added as Helm
inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a
malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin
can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected
functions can use `recover` to catch the panic. (CVE-2024-26147)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-26147");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-26147");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/21");
script_set_attribute(attribute:"patch_publication_date", value:"2024/07/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cert-manager");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cert-manager-acmesolver");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cert-manager-cainjector");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cert-manager-cmctl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cert-manager-controller");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cert-manager-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cert-manager-webhook");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:cbl-mariner");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MarinerOS Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/CBLMariner/release", "Host/CBLMariner/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/CBLMariner/release');
if (isnull(release) || 'CBL-Mariner' >!< release) audit(AUDIT_OS_NOT, 'CBL-Mariner');
var os_ver = pregmatch(pattern: "CBL-Mariner ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CBL-Mariner');
os_ver = os_ver[1];
if (! preg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'CBL-Mariner 2.0', 'CBL-Mariner ' + os_ver);
if (!get_kb_item('Host/CBLMariner/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CBL-Mariner', cpu);
var pkgs = [
{'reference':'cert-manager-1.11.2-10.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-1.11.2-10.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-acmesolver-1.11.2-10.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-acmesolver-1.11.2-10.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-cainjector-1.11.2-10.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-cainjector-1.11.2-10.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-cmctl-1.11.2-10.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-cmctl-1.11.2-10.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-controller-1.11.2-10.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-controller-1.11.2-10.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-debuginfo-1.11.2-10.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-debuginfo-1.11.2-10.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-webhook-1.11.2-10.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'cert-manager-webhook-1.11.2-10.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'CBLMariner-' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cert-manager / cert-manager-acmesolver / cert-manager-cainjector / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
microsoft | cbl-mariner | cert-manager-cmctl | p-cpe:/a:microsoft:cbl-mariner:cert-manager-cmctl |
microsoft | cbl-mariner | cert-manager-cainjector | p-cpe:/a:microsoft:cbl-mariner:cert-manager-cainjector |
microsoft | cbl-mariner | cert-manager-debuginfo | p-cpe:/a:microsoft:cbl-mariner:cert-manager-debuginfo |
microsoft | cbl-mariner | x-cpe:/o:microsoft:cbl-mariner | |
microsoft | cbl-mariner | cert-manager | p-cpe:/a:microsoft:cbl-mariner:cert-manager |
microsoft | cbl-mariner | cert-manager-acmesolver | p-cpe:/a:microsoft:cbl-mariner:cert-manager-acmesolver |
microsoft | cbl-mariner | cert-manager-controller | p-cpe:/a:microsoft:cbl-mariner:cert-manager-controller |
microsoft | cbl-mariner | cert-manager-webhook | p-cpe:/a:microsoft:cbl-mariner:cert-manager-webhook |