Lucene search

HistoryMar 28, 2022 - 12:00 a.m.

Ubuntu 18.04 LTS : Smarty vulnerabilities (USN-5348-1)

2022-03-2800:00:00

www.tenable.com

ubuntu

smarty

vulnerabilities

usn-5348-1

package

path traversal

protection mechanism

template engine

php

sandbox escape

code injection

version 3.1.33

version 3.1.43

version 4.0.3

version 3.1.39

version 3.1.42

version 4.0.2

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.011

Percentile

84.9%

JSON

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5348-1 advisory.

David Gnedt and Thomas Konrad discovered that Smarty was incorrectly sanitizing the paths present in the     templates. An attacker could possibly use this use to read arbitrary files when controlling the executed     template. (CVE-2018-13982)

It was discovered that Smarty was incorrectly sanitizing the paths present in the templates. An attacker     could possibly use this use to read arbitrary files when controlling the executed template.
(CVE-2018-16831)

It was discovered that Smarty was incorrectly validating security policy data, allowing the execution of     static classes even when not permitted by the security settings. An attacker could possibly use this issue     to execute arbitrary code. (CVE-2021-21408)

It was discovered that Smarty was incorrectly managing access control to template objects, which allowed     users to perform a sandbox escape. An attacker could possibly use this issue to send specially crafted     input to applications that use Smarty and execute arbitrary code. (CVE-2021-26119)

It was discovered that Smarty was not checking for special characters when setting function names during     plugin compile operations. An attacker could possibly use this issue to send specially crafted input to     applications that use Smarty and execute arbitrary code. (CVE-2021-26120)

It was discovered that Smarty was incorrectly sanitizing characters in math strings processed by the math     function. An attacker could possibly use this issue to send specially crafted input to applications that     use Smarty and execute arbitrary code. (CVE-2021-29454)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5348-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(159268);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/27");

  script_cve_id(
    "CVE-2018-13982",
    "CVE-2018-16831",
    "CVE-2021-21408",
    "CVE-2021-26119",
    "CVE-2021-26120",
    "CVE-2021-29454"
  );
  script_xref(name:"USN", value:"5348-1");

  script_name(english:"Ubuntu 18.04 LTS : Smarty vulnerabilities (USN-5348-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-5348-1 advisory.

    David Gnedt and Thomas Konrad discovered that Smarty was incorrectly sanitizing the paths present in the
    templates. An attacker could possibly use this use to read arbitrary files when controlling the executed
    template. (CVE-2018-13982)

    It was discovered that Smarty was incorrectly sanitizing the paths present in the templates. An attacker
    could possibly use this use to read arbitrary files when controlling the executed template.
    (CVE-2018-16831)

    It was discovered that Smarty was incorrectly validating security policy data, allowing the execution of
    static classes even when not permitted by the security settings. An attacker could possibly use this issue
    to execute arbitrary code. (CVE-2021-21408)

    It was discovered that Smarty was incorrectly managing access control to template objects, which allowed
    users to perform a sandbox escape. An attacker could possibly use this issue to send specially crafted
    input to applications that use Smarty and execute arbitrary code. (CVE-2021-26119)

    It was discovered that Smarty was not checking for special characters when setting function names during
    plugin compile operations. An attacker could possibly use this issue to send specially crafted input to
    applications that use Smarty and execute arbitrary code. (CVE-2021-26120)

    It was discovered that Smarty was incorrectly sanitizing characters in math strings processed by the math
    function. An attacker could possibly use this issue to send specially crafted input to applications that
    use Smarty and execute arbitrary code. (CVE-2021-29454)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5348-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected smarty3 package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-26120");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/03/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:smarty3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2022-2024 Canonical, Inc. / NASL script (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '18.04', 'pkgname': 'smarty3', 'pkgver': '3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  var extra = '';
  extra += ubuntu_report_get();
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'smarty3');
}