RHEL 7 : golang (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory golang. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(195780);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2017-1000097",
    "CVE-2018-7187",
    "CVE-2018-16874",
    "CVE-2019-9741",
    "CVE-2019-17596",
    "CVE-2020-15586",
    "CVE-2020-16845",
    "CVE-2020-24553",
    "CVE-2020-28362",
    "CVE-2020-28366",
    "CVE-2020-28367",
    "CVE-2020-29652",
    "CVE-2021-3114",
    "CVE-2021-3115",
    "CVE-2021-27918",
    "CVE-2021-29923",
    "CVE-2021-31525",
    "CVE-2021-33194",
    "CVE-2021-33195",
    "CVE-2021-33196",
    "CVE-2021-33197",
    "CVE-2021-33198",
    "CVE-2021-34558",
    "CVE-2021-36221",
    "CVE-2021-38297",
    "CVE-2021-38561",
    "CVE-2021-39293",
    "CVE-2021-41771",
    "CVE-2021-44717",
    "CVE-2022-23772",
    "CVE-2022-23773",
    "CVE-2022-23806",
    "CVE-2022-24675",
    "CVE-2022-24921",
    "CVE-2022-28327",
    "CVE-2022-30629",
    "CVE-2022-41717"
  );

  script_name(english:"RHEL 7 : golang (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - golang: arbitrary command execution via VCS path (CVE-2018-7187)

  - golang: Command-line arguments may overwrite global data (CVE-2021-38297)

  - On Darwin, user's trust preferences for root certificates were not honored. If the user had a root
    certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a
    connection using that root certificate. (CVE-2017-1000097)

  - In Go before 1.10.6 and 1.11.x before 1.11.3, the go get command is vulnerable to directory traversal
    when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}'
    characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction
    is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary
    filesystem write, which can lead to code execution. (CVE-2018-16874)

  - Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing
    an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server
    that verifies client certificates. (CVE-2019-17596)

  - An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a
    url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP
    header or a Redis command. (CVE-2019-9741)

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by
    the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
    (CVE-2020-15586)

  - Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in
    encoding/binary via invalid inputs. (CVE-2020-16845)

  - Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI
    handlers that lack a Content-Type header. (CVE-2020-24553)

  - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. (CVE-2020-28362)

  - Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution
    at build time via a malicious unquoted symbol name in a linked object file. (CVE-2020-28366)

  - Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution
    at build time via malicious gcc flags specified via a #cgo directive. (CVE-2020-28367)

  - A nil pointer dereference in the golang.org/x/crypto/ssh component through
    v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH
    servers. (CVE-2020-29652)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader
    (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,
    DecodeElement, or Skip method. (CVE-2021-27918)

  - Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address
    octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses,
    because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. (CVE-2021-29923)

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,
    related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code
    execution when using the go get command to fetch modules that make use of cgo (for example, cgo can
    execute a gcc program from an untrusted download). (CVE-2021-3115)

  - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of
    service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each
    be affected in some configurations. (CVE-2021-31525)

  - golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service
    (infinite loop) via crafted ParseFragment input. (CVE-2021-33194)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from
    DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to
    the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's
    header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from
    net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the
    math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an
    X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS
    server to cause a TLS client to panic. (CVE-2021-34558)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil
    ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during
    BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be
    used as a vector for a denial-of-service attack. (CVE-2021-38561)

  - In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating
    that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of
    an incomplete fix for CVE-2021-33196. (CVE-2021-39293)

  - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3
    Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
    (CVE-2021-41771)

  - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or
    unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-
    descriptor exhaustion. (CVE-2021-44717)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to
    Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to
    be version tags. This can lead to incorrect access control if an actor is supposed to be able to create
    branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return
    true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount
    of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested
    expression. (CVE-2022-24921)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic
    via long scalar input. (CVE-2022-28327)

  - Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3
    allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket
    ages during session resumption. (CVE-2022-30629)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server
    connections contain a cache of HTTP header keys sent by the client. While the total number of entries in
    this cache is capped, an attacker sending very large keys can cause the server to allocate approximately
    64 MiB per open connection. (CVE-2022-41717)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7187");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-38297");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:buildah");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-sap-c++-7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-sap-c++-8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-sap-c++-9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:docker");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:docker-distribution");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:etcd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:etcd3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:flannel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gcc-libraries");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gomtree");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:podman");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:runc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:scap-security-guide");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sg-core-rhel8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:skopeo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:smart-gateway-container");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'buildah', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'buildah', 'cves':['CVE-2021-3114', 'CVE-2021-27918', 'CVE-2021-29923', 'CVE-2021-31525', 'CVE-2021-33195', 'CVE-2021-33196', 'CVE-2021-33197', 'CVE-2021-33198', 'CVE-2021-34558', 'CVE-2021-36221', 'CVE-2022-30629', 'CVE-2022-41717']},
      {'reference':'compat-sap-c++-7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'compat-sap-c++-7', 'cves':['CVE-2021-3114']},
      {'reference':'compat-sap-c++-8', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'compat-sap-c++-8', 'cves':['CVE-2021-3114']},
      {'reference':'compat-sap-c++-9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'compat-sap-c++-9', 'cves':['CVE-2021-3114']},
      {'reference':'containernetworking-plugins', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'containernetworking-plugins', 'cves':['CVE-2022-30629', 'CVE-2022-41717']},
      {'reference':'docker', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'docker', 'cves':['CVE-2021-3114']},
      {'reference':'docker-distribution', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'docker-distribution', 'cves':['CVE-2021-3114']},
      {'reference':'etcd', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'etcd', 'cves':['CVE-2021-3114']},
      {'reference':'etcd3', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'etcd3', 'cves':['CVE-2021-3114']},
      {'reference':'flannel', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'flannel', 'cves':['CVE-2021-3114']},
      {'reference':'gcc', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc', 'cves':['CVE-2020-28362', 'CVE-2020-28366', 'CVE-2020-28367', 'CVE-2021-27918']},
      {'reference':'gcc-libraries', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gcc-libraries', 'cves':['CVE-2021-3114', 'CVE-2021-27918']},
      {'reference':'golang', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'golang', 'cves':['CVE-2017-1000097', 'CVE-2018-7187', 'CVE-2018-16874', 'CVE-2019-9741', 'CVE-2019-17596', 'CVE-2020-15586', 'CVE-2020-16845', 'CVE-2020-24553', 'CVE-2020-28362', 'CVE-2020-28366', 'CVE-2020-28367', 'CVE-2021-3114', 'CVE-2021-3115', 'CVE-2021-29923', 'CVE-2021-31525', 'CVE-2021-33194', 'CVE-2021-33195', 'CVE-2021-33196', 'CVE-2021-33197', 'CVE-2021-33198', 'CVE-2021-34558', 'CVE-2021-36221', 'CVE-2021-38297', 'CVE-2021-39293', 'CVE-2021-41771', 'CVE-2021-44717', 'CVE-2022-23772', 'CVE-2022-23773', 'CVE-2022-23806', 'CVE-2022-24675', 'CVE-2022-24921', 'CVE-2022-28327']},
      {'reference':'gomtree', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gomtree', 'cves':['CVE-2020-29652']},
      {'reference':'podman', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'podman', 'cves':['CVE-2021-3114', 'CVE-2021-34558', 'CVE-2021-38561', 'CVE-2022-30629', 'CVE-2022-41717']},
      {'reference':'rhc', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'rhc', 'cves':['CVE-2022-41717']},
      {'reference':'runc', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'runc', 'cves':['CVE-2021-44717']},
      {'reference':'scap-security-guide', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'scap-security-guide', 'cves':['CVE-2021-3114']},
      {'reference':'sg-core-rhel8', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'sg-core-rhel8', 'cves':['CVE-2022-24921']},
      {'reference':'skopeo', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'skopeo', 'cves':['CVE-2021-3114', 'CVE-2021-33198', 'CVE-2022-30629', 'CVE-2022-41717']},
      {'reference':'smart-gateway-container', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'smart-gateway-container', 'cves':['CVE-2022-24921']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / compat-sap-c++-7 / compat-sap-c++-8 / compat-sap-c++-9 / etc');
}