Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-ETCD-RHEL7.NASL
HistoryMay 11, 2024 - 12:00 a.m.

RHEL 7 : etcd (Unpatched Vulnerability)

2024-05-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
5
rhel 7
etcd
unpatched vulnerability
cross-site request forgery
information disclosure
dns rebinding
directory permissions
denial of service
password validation
tls authentication
distributed key-value store
leasetimetolive api

7.6 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.5%

JSON

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • etcd: Cross-site request forgery via crafted local POST forms (CVE-2018-1098)

  • etcd: Information discosure via debug function (CVE-2021-28235)

  • DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
    (CVE-2018-1099)

  • In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700). (CVE-2020-15113)

  • In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway. (CVE-2020-15114)

  • etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute- force users’ passwords with little computational effort. (CVE-2020-15115)

  • In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
    (CVE-2020-15136)

  • Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor’s position is that this is not a vulnerability. (CVE-2022-34038)

  • etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user doesn’t have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds. (CVE-2023-32082)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory etcd. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196026);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2018-1098",
    "CVE-2018-1099",
    "CVE-2020-15113",
    "CVE-2020-15114",
    "CVE-2020-15115",
    "CVE-2020-15136",
    "CVE-2021-28235",
    "CVE-2022-34038",
    "CVE-2023-32082"
  );

  script_name(english:"RHEL 7 : etcd (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - etcd: Cross-site request forgery via crafted local POST forms (CVE-2018-1098)

  - etcd: Information discosure via debug function (CVE-2021-28235)

  - DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to
    direct to localhost, and trick the browser into sending requests to localhost (or any other address).
    (CVE-2018-1099)

  - In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and
    the directory path when provided to automatically generate self-signed certificates for TLS connections
    with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not
    perform any permission checks when a given directory path exists already. A possible workaround is to
    ensure the directories have the desired permission (700). (CVE-2020-15113)

  - In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic
    service discovery and access. However, it is possible to include the gateway address as an endpoint. This
    results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until
    there are no more available file descriptors to accept connections on the gateway. (CVE-2020-15114)

  - etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for
    very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-
    force users' passwords with little computational effort. (CVE-2020-15115)

  - In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints
    detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on
    endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints
    function. No authentication is performed against endpoints provided in the --endpoints flag. This has been
    fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
    (CVE-2020-15136)

  - Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in
    pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability. (CVE-2022-34038)

  - etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and
    3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys`
    parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a
    cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known
    workarounds. (CVE-2023-32082)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1098");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-28235");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:etcd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:etcd3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'etcd', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'etcd'},
      {'reference':'etcd3', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'etcd3', 'cves':['CVE-2018-1098', 'CVE-2018-1099', 'CVE-2021-28235', 'CVE-2023-32082']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'etcd / etcd3');
}
VendorProductVersionCPE
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linuxetcdp-cpe:/a:redhat:enterprise_linux:etcd
redhatenterprise_linuxetcd3p-cpe:/a:redhat:enterprise_linux:etcd3

Related

nessus 15
redhat 5
fedora 3
altlinux 3
openvas 7
photon 23
ibm 14
osv 24
ubuntu 3
ubuntucve 9
prion 9
veracode 9
redhatcve 9
gitlab 8
cve 9
cvelist 9
nvd 9
github 9
debiancve 9
cgr 3
cbl_mariner 6
wolfi 3
redos 1
nessus
nessus
RHEL 7 : etcd (Unpatched Vulnerability)
2024-06-03 00:00:00
Photon OS 2.0: Etcd PHSA-2020-2.0-0272
2020-08-15 00:00:00
Photon OS 1.0: Etcd PHSA-2020-1.0-0313
2020-08-20 00:00:00
redhat
redhat
(RHSA-2021:0916) Moderate: Red Hat OpenStack Platform 16.1.4 (etcd) security update
2021-03-17 13:32:51
(RHSA-2023:3441) Important: Red Hat OpenStack Platform 17.0 (etcd) security update
2023-06-05 13:50:17
(RHSA-2023:3447) Important: Red Hat OpenStack Platform 16.1 (etcd) security update
2023-06-05 14:40:49
fedora
fedora
[SECURITY] Fedora 32 Update: etcd-3.4.13-1.fc32
2021-01-04 01:18:15
[SECURITY] Fedora 29 Update: etcd-3.3.12-4.20190413gitf29b1ad.fc29
2019-05-06 04:15:25
[SECURITY] Fedora 30 Update: etcd-3.3.12-1.20190314gite1ca3b4.fc30
2019-04-13 00:09:57
altlinux
altlinux
Security fix for the ALT Linux 10 package etcd version 3.4.13-alt1
2020-09-05 00:00:00
Security fix for the ALT Linux 10 package etcd version 3.4.7-alt1
2020-04-26 00:00:00
Security fix for the ALT Linux 10 package etcd version 3.5.8-alt1
2023-04-17 00:00:00
openvas
openvas
etcd < 3.3.23, 3.4.x < 3.4.10 Multiple Vulnerabilities
2020-08-10 00:00:00
Fedora: Security Advisory for etcd (FEDORA-2020-cd43b84c16)
2021-01-11 00:00:00
Ubuntu: Security Advisory (USN-5628-2)
2023-01-27 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2020-0126
2020-08-13 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0631
2023-08-11 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0313
2020-08-18 00:00:00
ibm
ibm
Security Bulletin: CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard
2023-02-24 13:14:12
Security Bulletin: CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Advanced
2023-02-24 13:11:38
Security Bulletin: A vulnerability in Etcd-io could affect IBM CICS TX Advanced [CVE-2021-28235]
2023-05-25 13:06:44
osv
osv
etcd vulnerabilities
2022-09-22 13:38:55
etcd denial of service vulnerability
2023-08-22 21:30:26
BIT-etcd-2022-34038
2024-03-06 10:51:58
ubuntu
ubuntu
etcd vulnerabilities
2022-09-22 00:00:00
etcd vulnerabilities
2022-09-22 00:00:00
etcd vulnerability
2023-06-28 00:00:00
ubuntucve
ubuntucve
CVE-2022-34038
2023-08-22 00:00:00
CVE-2020-15114
2020-08-06 00:00:00
CVE-2020-15136
2020-08-06 00:00:00
prion
prion
Privilege escalation
2023-08-22 19:16:00
Design/Logic Flaw
2020-08-06 23:15:00
Design/Logic Flaw
2020-08-06 23:15:00
veracode
veracode
Denial Of Service (DoS)
2023-08-24 09:17:37
Missing Authentication
2020-08-11 07:59:44
Insecure Permission Checks
2020-08-06 06:08:41
redhatcve
redhatcve
CVE-2022-34038
2023-09-02 00:21:04
CVE-2021-28235
2023-04-04 18:13:12
CVE-2020-15114
2020-08-14 06:13:42
gitlab
gitlab
etcd denial of service vulnerability
2023-08-22 00:00:00
Missing Authentication for Critical Function
2024-01-31 00:00:00
Improper Authentication
2023-04-04 00:00:00
cve
cve
CVE-2022-34038
2023-08-22 19:16:23
CVE-2020-15136
2020-08-06 23:15:11
CVE-2020-15113
2020-08-05 20:15:14
cvelist
cvelist
CVE-2022-34038
2023-08-22 00:00:00
CVE-2020-15114 Denial of Service in etcd
2020-08-06 22:25:12
CVE-2020-15136 Improper authentication in etcd
2020-08-06 22:45:14
nvd
nvd
CVE-2022-34038
2023-08-22 19:16:23
CVE-2020-15136
2020-08-06 23:15:11
CVE-2020-15114
2020-08-06 23:15:11
github
github
etcd denial of service vulnerability
2023-08-22 21:30:26
Etcd Gateway TLS authentication only applies to endpoints detected in DNS SRV records
2024-01-31 00:21:56
Improper Preservation of Permissions in etcd
2024-01-30 23:54:26
debiancve
debiancve
CVE-2022-34038
2023-08-22 19:16:23
CVE-2020-15136
2020-08-06 23:15:11
CVE-2020-15114
2020-08-06 23:15:11
cgr
cgr
CVE-2020-15136 vulnerabilities
2024-05-19 03:07:16
CVE-2020-15114 vulnerabilities
2024-05-19 03:07:16
CVE-2018-1099 vulnerabilities
2024-05-19 03:07:16
cbl_mariner
cbl_mariner
CVE-2020-15114 affecting package etcd for versions less than 3.5.0-3
2022-04-09 06:52:04
CVE-2020-15136 affecting package etcd for versions less than 3.5.0-3
2022-04-09 06:52:04
CVE-2020-15113 affecting package etcd for versions less than 3.5.0-3
2022-04-09 06:52:04
wolfi
wolfi
CVE-2020-15136 vulnerabilities
2024-07-02 03:09:22
CVE-2020-15114 vulnerabilities
2024-07-02 03:09:22
CVE-2018-1099 vulnerabilities
2024-07-02 03:09:22
redos
redos
ROS-20240411-02
2024-04-11 00:00:00

7.6 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.5%

JSON
Related for REDHAT_UNPATCHED-ETCD-RHEL7.NASL
nessus15redhat5fedora3altlinux3openvas7photon23ibm14osv24ubuntu3ubuntucve9prion9veracode9redhatcve9gitlab8cve9cvelist9nvd9github9debiancve9cgr3cbl_mariner6wolfi3redos1