ID CVE-2013-6435
Summary Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.
References
Vulnerable Configurations
  • RPM RPM Package Manager 1.2
    cpe:2.3:a:rpm:rpm:1.2
  • RPM RPM Package Manager 1.3
    cpe:2.3:a:rpm:rpm:1.3
  • RPM RPM Package Manager 1.3.1
    cpe:2.3:a:rpm:rpm:1.3.1
  • RPM RPM Package Manager 1.4
    cpe:2.3:a:rpm:rpm:1.4
  • RPM RPM Package Manager 1.4.1
    cpe:2.3:a:rpm:rpm:1.4.1
  • RPM RPM Package Manager 1.4.2
    cpe:2.3:a:rpm:rpm:1.4.2
  • RPM RPM Package Manager 1.4.2/a
    cpe:2.3:a:rpm:rpm:1.4.2%2fa
  • RPM RPM Package Manager 1.4.3
    cpe:2.3:a:rpm:rpm:1.4.3
  • RPM RPM Package Manager 1.4.4
    cpe:2.3:a:rpm:rpm:1.4.4
  • RPM RPM Package Manager 1.4.5
    cpe:2.3:a:rpm:rpm:1.4.5
  • RPM RPM Package Manager 1.4.6
    cpe:2.3:a:rpm:rpm:1.4.6
  • RPM RPM Package Manager 1.4.7
    cpe:2.3:a:rpm:rpm:1.4.7
  • RPM RPM Package Manager 2.0
    cpe:2.3:a:rpm:rpm:2.0
  • RPM RPM Package Manager 2.0.1
    cpe:2.3:a:rpm:rpm:2.0.1
  • RPM RPM Package Manager 2.0.2
    cpe:2.3:a:rpm:rpm:2.0.2
  • RPM RPM Package Manager 2.0.3
    cpe:2.3:a:rpm:rpm:2.0.3
  • RPM RPM Package Manager 2.0.4
    cpe:2.3:a:rpm:rpm:2.0.4
  • RPM RPM Package Manager 2.0.5
    cpe:2.3:a:rpm:rpm:2.0.5
  • RPM RPM Package Manager 2.0.6
    cpe:2.3:a:rpm:rpm:2.0.6
  • RPM RPM Package Manager 2.0.7
    cpe:2.3:a:rpm:rpm:2.0.7
  • RPM RPM Package Manager 2.0.8
    cpe:2.3:a:rpm:rpm:2.0.8
  • RPM RPM Package Manager 2.0.9
    cpe:2.3:a:rpm:rpm:2.0.9
  • RPM RPM Package Manager 2.0.10
    cpe:2.3:a:rpm:rpm:2.0.10
  • RPM RPM Package Manager 2.0.11
    cpe:2.3:a:rpm:rpm:2.0.11
  • RPM RPM Package Manager 2.1
    cpe:2.3:a:rpm:rpm:2.1
  • RPM RPM Package Manager 2.1.1
    cpe:2.3:a:rpm:rpm:2.1.1
  • RPM RPM Package Manager 2.1.2
    cpe:2.3:a:rpm:rpm:2.1.2
  • RPM RPM Package Manager 2.2
    cpe:2.3:a:rpm:rpm:2.2
  • RPM RPM Package Manager 2.2.1
    cpe:2.3:a:rpm:rpm:2.2.1
  • RPM RPM Package Manager 2.2.2
    cpe:2.3:a:rpm:rpm:2.2.2
  • RPM RPM Package Manager 2.2.3
    cpe:2.3:a:rpm:rpm:2.2.3
  • RPM RPM Package Manager 2.3.10
    cpe:2.3:a:rpm:rpm:2.2.3.10
  • RPM RPM Package Manager 2.3.11
    cpe:2.3:a:rpm:rpm:2.2.3.11
  • RPM RPM Package Manager 2.2.4
    cpe:2.3:a:rpm:rpm:2.2.4
  • RPM RPM Package Manager 2.2.5
    cpe:2.3:a:rpm:rpm:2.2.5
  • RPM RPM Package Manager 2.2.6
    cpe:2.3:a:rpm:rpm:2.2.6
  • RPM RPM Package Manager 2.2.7
    cpe:2.3:a:rpm:rpm:2.2.7
  • RPM RPM Package Manager 2.2.8
    cpe:2.3:a:rpm:rpm:2.2.8
  • RPM RPM Package Manager 2.2.9
    cpe:2.3:a:rpm:rpm:2.2.9
  • RPM RPM Package Manager 2.2.10
    cpe:2.3:a:rpm:rpm:2.2.10
  • RPM RPM Package Manager 2.2.11
    cpe:2.3:a:rpm:rpm:2.2.11
  • RPM RPM Package Manager 2.3
    cpe:2.3:a:rpm:rpm:2.3
  • RPM RPM Package Manager 2.3.1
    cpe:2.3:a:rpm:rpm:2.3.1
  • RPM RPM Package Manager 2.3.2
    cpe:2.3:a:rpm:rpm:2.3.2
  • RPM RPM Package Manager 2.3.3
    cpe:2.3:a:rpm:rpm:2.3.3
  • RPM RPM Package Manager 2.3.4
    cpe:2.3:a:rpm:rpm:2.3.4
  • RPM RPM Package Manager 2.3.5
    cpe:2.3:a:rpm:rpm:2.3.5
  • RPM RPM Package Manager 2.3.6
    cpe:2.3:a:rpm:rpm:2.3.6
  • RPM RPM Package Manager 2.3.7
    cpe:2.3:a:rpm:rpm:2.3.7
  • RPM RPM Package Manager 2.3.9
    cpe:2.3:a:rpm:rpm:2.3.8
  • RPM RPM Package Manager 2.3.9
    cpe:2.3:a:rpm:rpm:2.3.9
  • RPM RPM Package Manager 2.4.1
    cpe:2.3:a:rpm:rpm:2.4.1
  • RPM RPM Package Manager 2.4.2
    cpe:2.3:a:rpm:rpm:2.4.2
  • RPM RPM Package Manager 2.4.3
    cpe:2.3:a:rpm:rpm:2.4.3
  • RPM RPM Package Manager 2.4.4
    cpe:2.3:a:rpm:rpm:2.4.4
  • RPM RPM Package Manager 2.4.5
    cpe:2.3:a:rpm:rpm:2.4.5
  • RPM RPM Package Manager 2.4.6
    cpe:2.3:a:rpm:rpm:2.4.6
  • RPM RPM Package Manager 2.4.8
    cpe:2.3:a:rpm:rpm:2.4.8
  • RPM RPM Package Manager 2.4.9
    cpe:2.3:a:rpm:rpm:2.4.9
  • RPM RPM Package Manager 2..11
    cpe:2.3:a:rpm:rpm:2.4.11
  • RPM RPM Package Manager 2.4.12
    cpe:2.3:a:rpm:rpm:2.4.12
  • RPM RPM Package Manager 2.5
    cpe:2.3:a:rpm:rpm:2.5
  • RPM RPM Package Manager 2.5.1
    cpe:2.3:a:rpm:rpm:2.5.1
  • RPM RPM Package Manager 2.5.2
    cpe:2.3:a:rpm:rpm:2.5.2
  • RPM RPM Package Manager 2.5.3
    cpe:2.3:a:rpm:rpm:2.5.3
  • RPM RPM Package Manager 2.5.4
    cpe:2.3:a:rpm:rpm:2.5.4
  • RPM RPM Package Manager 2.5.5
    cpe:2.3:a:rpm:rpm:2.5.5
  • RPM RPM Package Manager 2.5.6
    cpe:2.3:a:rpm:rpm:2.5.6
  • RPM RPM Package Manager 2.4.7
    cpe:2.3:a:rpm:rpm:2.6.7
  • RPM RPM Package Manager 3.0
    cpe:2.3:a:rpm:rpm:3.0
  • RPM RPM Package Manager 3.0.1
    cpe:2.3:a:rpm:rpm:3.0.1
  • RPM RPM Package Manager 3.0.2
    cpe:2.3:a:rpm:rpm:3.0.2
  • RPM RPM Package Manager 3.0.3
    cpe:2.3:a:rpm:rpm:3.0.3
  • RPM RPM Package Manager 3.0.4
    cpe:2.3:a:rpm:rpm:3.0.4
  • RPM RPM Package Manager 3.0.5
    cpe:2.3:a:rpm:rpm:3.0.5
  • RPM RPM Package Manager 3.0.6
    cpe:2.3:a:rpm:rpm:3.0.6
  • RPM RPM Package Manager 4.0
    cpe:2.3:a:rpm:rpm:4.0.
  • RPM RPM Package Manager 4.0.1
    cpe:2.3:a:rpm:rpm:4.0.1
  • RPM RPM Package Manager 4.0.2
    cpe:2.3:a:rpm:rpm:4.0.2
  • RPM RPM Package Manager 4.0.3
    cpe:2.3:a:rpm:rpm:4.0.3
  • RPM RPM Package Manager 4.0.4
    cpe:2.3:a:rpm:rpm:4.0.4
  • RPM RPM Package Manager 4.1
    cpe:2.3:a:rpm:rpm:4.1
  • RPM RPM Package Manager 4.3
    cpe:2.3:a:rpm:rpm:4.3.3
  • RPM Package Manager 4.4.2.1
    cpe:2.3:a:rpm:rpm:4.4.2.1
  • RPM Package Manager 4.4.2.2
    cpe:2.3:a:rpm:rpm:4.4.2.2
  • RPM Package Manager 4.4.2.3
    cpe:2.3:a:rpm:rpm:4.4.2.3
  • RPM RPM Package Manager 4.5.90
    cpe:2.3:a:rpm:rpm:4.5.90
  • RPM Package Manager 4.6.0
    cpe:2.3:a:rpm:rpm:4.6.0
  • RPM RPM Package Manager 4.6.0-release candidate 1
    cpe:2.3:a:rpm:rpm:4.6.0:rc1
  • RPM RPM Package Manager 4.6.0-release candidate 2
    cpe:2.3:a:rpm:rpm:4.6.0:rc2
  • RPM RPM Package Manager 4.6.0-release candidate 3
    cpe:2.3:a:rpm:rpm:4.6.0:rc3
  • RPM RPM Package Manager 4.6.0-release candidate 4
    cpe:2.3:a:rpm:rpm:4.6.0:rc4
  • RPM RPM Package Manager 4.6.1
    cpe:2.3:a:rpm:rpm:4.6.1
  • RPM Package Manager 4.7.0
    cpe:2.3:a:rpm:rpm:4.7.0
  • RPM RPM Package Manager 4.7.1
    cpe:2.3:a:rpm:rpm:4.7.1
  • RPM RPM Package Manager 4.7.2
    cpe:2.3:a:rpm:rpm:4.7.2
  • RPM Package Manager 4.8.0
    cpe:2.3:a:rpm:rpm:4.8.0
  • RPM RPM Package Manager 4.8.1
    cpe:2.3:a:rpm:rpm:4.8.1
  • RPM Package Manager 4.9.0
    cpe:2.3:a:rpm:rpm:4.9.0
  • RPM RPM Package Manager 4.9.0 alpha
    cpe:2.3:a:rpm:rpm:4.9.0:alpha
  • RPM RPM Package Manager 4.9.0 beta1
    cpe:2.3:a:rpm:rpm:4.9.0:beta1
  • RPM RPM Package Manager 4.9.0 release candidate 1
    cpe:2.3:a:rpm:rpm:4.9.0:rc1
  • RPM RPM Package Manager 4.9.1
    cpe:2.3:a:rpm:rpm:4.9.1
  • RPM RPM Package Manager 4.9.1.1
    cpe:2.3:a:rpm:rpm:4.9.1.1
  • RPM RPM Package Manager 4.9.1.2
    cpe:2.3:a:rpm:rpm:4.9.1.2
  • RPM Package Manager 4.10.0
    cpe:2.3:a:rpm:rpm:4.10.0
  • RPM RPM Package Manager 4.10.1
    cpe:2.3:a:rpm:rpm:4.10.1
  • RPM RPM Package Manager 4.10.2
    cpe:2.3:a:rpm:rpm:4.10.2
  • RPM Package Manager 4.11.1
    cpe:2.3:a:rpm:rpm:4.11.1
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
CVSS
Base: 7.6 (as of 25-09-2015 - 14:40)
Impact:
Exploitability:
CWE CWE-74
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • XML Injection
    An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
  • Leverage Alternate Encoding
    This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult.
  • HTTP Response Smuggling
    An attacker injects content into a server response that is interpreted differently by intermediaries than it is by the target browser. To do this, it takes advantage of inconsistent or incorrect interpretations of the HTTP protocol by various applications. For example, it might use different block terminating characters (CR or LF alone), adding duplicate header fields that browsers interpret as belonging to separate responses, or other techniques. Consequences of this attack can include response-splitting, cross-site scripting, apparent defacement of targeted sites, cache poisoning, or similar actions.
  • Fuzzing
    Fuzzing is a software testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. An attacker can leverage fuzzing to try to identify weaknesses in the system. For instance fuzzing can help an attacker discover certain assumptions made in the system about user input. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions without really knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve his goals.
  • Using Leading 'Ghost' Character Sequences to Bypass Input Filters
    An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API. Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes. One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations.
  • HTTP Response Splitting
    This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents be displayed and possibly cached. To achieve HTTP Response Splitting on a vulnerable web server, the attacker:
  • Manipulating Writeable Terminal Devices
    This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Poison Web Service Registry
    SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces. WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls.
  • Embedding NULL Bytes
    An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
  • Postfix, Null Terminate, and Backslash
    If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an attacker to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
  • Blind SQL Injection
    Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
  • Using Unicode Encoding to Bypass Validation Logic
    An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
  • URL Encoding
    This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Using UTF-8 Encoding to Bypass Validation Logic
    This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.
  • XPath Injection
    An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:
  • XQuery Injection
    This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
  • XSS in IMG Tags
    Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1974.NASL
    description From Red Hat Security Advisory 2014:1974 : Updated rpm packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) This issue was discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 79846
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79846
    title Oracle Linux 5 / 6 : rpm (ELSA-2014-1974)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-816.NASL
    description This rpm update fixes the following security and non security issues : - honor --noglob in install mode [bnc#892431] - check for bad invalid name sizes [bnc#908128] [CVE-2014-8118] - create files with mode 0 [bnc#906803] [CVE-2013-6435] This update also includes version updates of rpm-python and python3-rpm.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80276
    published 2014-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80276
    title openSUSE Security Update : python3-rpm / rpm / rpm-python (openSUSE-SU-2014:1716-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20141209_RPM_ON_SL7_X.NASL
    description It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2014-8118) All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 80016
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80016
    title Scientific Linux Security Update : rpm on SL7.x x86_64
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL16383.NASL
    description Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 88435
    published 2016-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88435
    title F5 Networks BIG-IP : Linux RPM vulnerability (SOL16383)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1975.NASL
    description Updated rpm packages that fix one security issue are now available Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support, Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) This issue was discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 79850
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79850
    title RHEL 5 / 6 : rpm (RHSA-2014:1975)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1974.NASL
    description Updated rpm packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) This issue was discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79843
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79843
    title CentOS 5 / 6 : rpm (CESA-2014:1974)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-140.NASL
    description Several vulnerabilities have been fixed in rpm : CVE-2014-8118 Fix integer overflow which allowed remote attackers to execute arbitrary code. CVE-2013-6435 Prevent remote attackers from executing arbitrary code via crafted RPM files. CVE-2012-0815 Fix denial of service and possible code execution via negative value in region offset in crafted RPM files. CVE-2012-0060 and CVE-2012-0061 Prevent denial of service (crash) and possibly execute arbitrary code execution via an invalid region tag in RPM files. We recommend that you upgrade your rpm packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 82123
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82123
    title Debian DLA-140-1 : rpm security update
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0077.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Add missing files in /usr/share/doc/ - Fix warning when applying the patch for #1163057 - Fix race condidition where unchecked data is exposed in the file system (CVE-2013-6435)(#1163057) - Fix segfault on rpmdb addition when header unload fails (#706935) - Fix segfault on invalid OpenPGP packet (#743203) - Account for excludes and hardlinks wrt payload max size (#716853) - Fix payload size tag generation on big-endian systems (#648516) - Track all install failures within a transaction (#671194) - fix changelog (bug #707677 is actually #808547) - Document -D and -E options in man page (#814602) - Require matching arch for freshen on colored transactions (#813282) - Add DWARF 3 and 4 support to debugedit (#808547) - No longer add \n to group tag in Python bindings (#783451) - Fix typos in Japanese rpm man page (#760552) - Bump Geode compatibility up to i686 (#620570) - Proper region tag validation on package/header read (CVE-2012-0060) - Double-check region size against header size (CVE-2012-0061) - Validate negated offsets too in headerVerifyInfo (CVE-2012-0815) - Revert fix for #740291, too many packages rely on the broken behavior - Add support for XZ-compressed sources and patches to rpmbuild (#620674) - Avoid unnecessary assert-death when closing NULL fd (#573043) - Add scriptlet error notification callbacks (#533831) - Honor --noscripts for pre- and posttrans scriptlets too (#740345) - Avoid bogus error on printing empty ds from python (#628883) - File conflicts correctness & consistency fixes (#740291) - Create the directory used for transaction lock if necessary (#510469) - Only enforce default umask during transaction (#673821) - fix thinko in the CVE backport - fix CVE-2011-3378 (#742157) - accept windows cr/lf line endings in gpg keys (#530212) - Backport multilib ordering fixes from rpm 4.8.x (#641892)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91753
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91753
    title OracleVM 3.2 : rpm (OVMSA-2016-0077)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1974.NASL
    description Updated rpm packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) This issue was discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 79849
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79849
    title RHEL 5 / 6 : rpm (RHSA-2014:1974)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_POPT-141215.NASL
    description This rpm update fixes the following security and non security issues. - check for bad invalid name sizes. (CVE-2014-8118). (bnc#908128) - create files with mode 0. (CVE-2013-6435). (bnc#906803) - honor --noglob in install mode. (bnc#892431)
    last seen 2018-09-01
    modified 2014-12-26
    plugin id 80252
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80252
    title SuSE 11.3 Security Update : popt (SAT Patch Number 10097)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20141209_RPM_ON_SL5_X.NASL
    description It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 80015
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80015
    title Scientific Linux Security Update : rpm on SL5.x, SL6.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1976.NASL
    description Updated rpm packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2014-8118) These issues were discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79877
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79877
    title CentOS 7 : rpm (CESA-2014:1976)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1976.NASL
    description From Red Hat Security Advisory 2014:1976 : Updated rpm packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2014-8118) These issues were discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 79847
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79847
    title Oracle Linux 7 : rpm (ELSA-2014-1976)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3129.NASL
    description Two vulnerabilities have been discovered in the RPM package manager. - CVE-2013-6435 Florian Weimer discovered a race condition in package signature validation. - CVE-2014-8118 Florian Weimer discovered an integer overflow in parsing CPIO headers which might result in the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80573
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80573
    title Debian DSA-3129-1 : rpm - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1976.NASL
    description Updated rpm packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2014-8118) These issues were discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79851
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79851
    title RHEL 7 : rpm (RHSA-2014:1976)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0083.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix race condidition where unchecked data is exposed in the file system (CVE-2013-6435)(#1163059) - Fix thinko in the non-root python byte-compilation fix - Byte-compile versioned python libdirs in non-root prefix too (#868332) - Fix segfault on rpmdb addition when header unload fails (#706935) - Add a compat mode for enabling legacy rpm scriptlet error behavior (#963724) - Fix build-time double-free on file capability processing (#904818) - Fix include-directive getting processed on false branch (#920190) - Bring back --fileid in the man page with description of the id (#804049) - Fix missing error on --import on bogus key file (#869667) - Add DWARF 4 support to debugedit (#858731) - Add better error handling to patch for bug - Fix memory corruption on multikey PGP packets/armors (#829621) - Handle identical binaries for debug-info (#727872) - Fix typos in Japanese rpm man page (#845065) - Document -D and -E options in man page (#845063) - Add --setperms and --setuids to the man page (#839126) - Update man page that SHA256 is also used for file digest (#804049) - Remove --fileid from man page to get rid of md5 - Remove -s from patch calls (#773503) - Force _host_vendor to redhat to better match toolchain (#743229) - Backport reloadConfig for Python API (#825147) - Support for dpkg-style sorting of tilde in version/release (#825087) - Fix explicit directory %attr when %defattr is active (#730473) - Don't load keyring if signature checking is disabled (#664696) - Retry read to fix rpm2cpio with pipe as stdin (#802839)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 80008
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80008
    title OracleVM 3.3 : rpm (OVMSA-2014-0083)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-056.NASL
    description Updated rpm packages fix security vulnerabilities : It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2013-6435). It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2014-8118).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 81939
    published 2015-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81939
    title Mandriva Linux Security Advisory : rpm (MDVSA-2015:056)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-251.NASL
    description Updated rpm packages fix security vulnerabilities : It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2013-6435). It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2014-8118).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 79996
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79996
    title Mandriva Linux Security Advisory : rpm (MDVSA-2014:251)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16890.NASL
    description - Add check against malicious CPIO file name size - Fix race condidition where unchecked data is exposed in the file system Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80065
    published 2014-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80065
    title Fedora 21 : rpm-4.12.0.1-4.fc21 (2014-16890)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2479-1.NASL
    description Florian Weimer discovered that RPM incorrectly handled temporary files. A local attacker could use this issue to execute arbitrary code. (CVE-2013-6435) Florian Weimer discovered that RPM incorrectly handled certain CPIO headers. If a user or automated system were tricked into installing a malicious package file, a remote attacker could use this issue to cause RPM to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-8118). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 80854
    published 2015-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80854
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : rpm vulnerabilities (USN-2479-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201811-22.NASL
    description The remote host is affected by the vulnerability described in GLSA-201811-22 (RPM: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in RPM. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing the user to process a specially crafted RPM file, could escalate privileges, execute arbitrary code, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 119276
    published 2018-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119276
    title GLSA-201811-22 : RPM: Multiple vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-458.NASL
    description It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2014-8118) It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. Red Hat has published an excellent analysis of this issue. (CVE-2013-6435)
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 79842
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79842
    title Amazon Linux AMI : rpm (ALAS-2014-458)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16838.NASL
    description - Add check against malicious CPIO file name size - Fix race condidition where unchecked data is exposed in the file system Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80288
    published 2014-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80288
    title Fedora 20 : rpm-4.11.3-2.fc20 (2014-16838)
redhat via4
advisories
  • bugzilla
    id 1039811
    title CVE-2013-6435 rpm: race condition during the installation process
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment popt is earlier than 0:1.10.2.3-36.el5_11
            oval oval:com.redhat.rhsa:tst:20141974010
          • comment popt is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20100679011
        • AND
          • comment rpm is earlier than 0:4.4.2.3-36.el5_11
            oval oval:com.redhat.rhsa:tst:20141974002
          • comment rpm is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20100679003
        • AND
          • comment rpm-apidocs is earlier than 0:4.4.2.3-36.el5_11
            oval oval:com.redhat.rhsa:tst:20141974006
          • comment rpm-apidocs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20100679005
        • AND
          • comment rpm-build is earlier than 0:4.4.2.3-36.el5_11
            oval oval:com.redhat.rhsa:tst:20141974014
          • comment rpm-build is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20100679007
        • AND
          • comment rpm-devel is earlier than 0:4.4.2.3-36.el5_11
            oval oval:com.redhat.rhsa:tst:20141974004
          • comment rpm-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20100679009
        • AND
          • comment rpm-libs is earlier than 0:4.4.2.3-36.el5_11
            oval oval:com.redhat.rhsa:tst:20141974008
          • comment rpm-libs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20100679013
        • AND
          • comment rpm-python is earlier than 0:4.4.2.3-36.el5_11
            oval oval:com.redhat.rhsa:tst:20141974012
          • comment rpm-python is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20100679015
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment rpm is earlier than 0:4.8.0-38.el6_6
            oval oval:com.redhat.rhsa:tst:20141974020
          • comment rpm is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111349034
        • AND
          • comment rpm-apidocs is earlier than 0:4.8.0-38.el6_6
            oval oval:com.redhat.rhsa:tst:20141974022
          • comment rpm-apidocs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111349046
        • AND
          • comment rpm-build is earlier than 0:4.8.0-38.el6_6
            oval oval:com.redhat.rhsa:tst:20141974026
          • comment rpm-build is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111349040
        • AND
          • comment rpm-cron is earlier than 0:4.8.0-38.el6_6
            oval oval:com.redhat.rhsa:tst:20141974030
          • comment rpm-cron is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111349044
        • AND
          • comment rpm-devel is earlier than 0:4.8.0-38.el6_6
            oval oval:com.redhat.rhsa:tst:20141974032
          • comment rpm-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111349038
        • AND
          • comment rpm-libs is earlier than 0:4.8.0-38.el6_6
            oval oval:com.redhat.rhsa:tst:20141974024
          • comment rpm-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111349042
        • AND
          • comment rpm-python is earlier than 0:4.8.0-38.el6_6
            oval oval:com.redhat.rhsa:tst:20141974028
          • comment rpm-python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111349036
    rhsa
    id RHSA-2014:1974
    released 2014-12-09
    severity Important
    title RHSA-2014:1974: rpm security update (Important)
  • rhsa
    id RHSA-2014:1975
  • rhsa
    id RHSA-2014:1976
rpms
  • popt-0:1.10.2.3-36.el5_11
  • rpm-0:4.4.2.3-36.el5_11
  • rpm-apidocs-0:4.4.2.3-36.el5_11
  • rpm-build-0:4.4.2.3-36.el5_11
  • rpm-devel-0:4.4.2.3-36.el5_11
  • rpm-libs-0:4.4.2.3-36.el5_11
  • rpm-python-0:4.4.2.3-36.el5_11
  • rpm-0:4.8.0-38.el6_6
  • rpm-apidocs-0:4.8.0-38.el6_6
  • rpm-build-0:4.8.0-38.el6_6
  • rpm-cron-0:4.8.0-38.el6_6
  • rpm-devel-0:4.8.0-38.el6_6
  • rpm-libs-0:4.8.0-38.el6_6
  • rpm-python-0:4.8.0-38.el6_6
  • rpm-0:4.11.1-18.el7_0
  • rpm-apidocs-0:4.11.1-18.el7_0
  • rpm-build-0:4.11.1-18.el7_0
  • rpm-build-libs-0:4.11.1-18.el7_0
  • rpm-cron-0:4.11.1-18.el7_0
  • rpm-devel-0:4.11.1-18.el7_0
  • rpm-libs-0:4.11.1-18.el7_0
  • rpm-python-0:4.11.1-18.el7_0
  • rpm-sign-0:4.11.1-18.el7_0
refmap via4
bid 71558
confirm
debian DSA-3129
gentoo GLSA-201811-22
mandriva
  • MDVSA-2014:251
  • MDVSA-2015:056
Last major update 07-12-2016 - 22:03
Published 16-12-2014 - 13:59
Last modified 29-11-2018 - 06:29
Back to Top