Heap-based buffer overflow in the strip_escapes function in signal.c in GNU ed before 1.0 allows context-dependent or user-assisted attackers to execute arbitrary code via a long filename. NOTE: since ed itself does not typically run with special privileges, this issue only crosses privilege boundaries when ed is invoked as a third-party component.

The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - bind
  - expat
  - glib2
  - Kernel
  - newt
  - nfs-utils
  - NTP
  - OpenSSH
  - OpenSSL

The remote Oracle Linux 5 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2008-0946 advisory.

    [0.2-39]
    - add fix for CVE-2008-3916

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A heap-based buffer overflow was discovered in the way ed, the GNU line editor, processed long file names. An attacker could create a file with a specially crafted name that could possibly execute an arbitrary code when opened in the ed editor. (CVE-2008-3916)

This update fixes a heap-based buffer overflow in ed which can be exploited remotely only with user-assistance. CVE-2008-3916: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C): Buffer Errors (CWE-119)

This update fixes a heap-based buffer overflow in ed which can be exploited remotely only with user-assistance. CVE-2008-3916: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C): Buffer Errors.
(CWE-119)

a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1

   Newt is a programming library for color text mode, widget based    user interfaces. Newt can be used to add stacked windows, entry    widgets, checkboxes, radio buttons, labels, plain text fields,    scrollbars, etc., to text mode user interfaces.

   A heap-based buffer overflow flaw was found in the way newt    processes content that is to be displayed in a text dialog box.
   A local attacker could issue a specially crafted text dialog box    display request (direct or via a custom application), leading to a    denial of service (application crash) or, potentially, arbitrary    code execution with the privileges of the user running the    application using the newt library.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-2905 to this issue.

b. vMA and Service Console update for vMA package nfs-utils to    1.0.9-42.el5

   The nfs-utils package provides a daemon for the kernel NFS server    and related tools.

   It was discovered that nfs-utils did not use tcp_wrappers    correctly.  Certain hosts access rules defined in '/etc/hosts.allow'    and '/etc/hosts.deny' may not have been honored, possibly allowing    remote attackers to bypass intended access restrictions.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2008-4552 to this issue.

c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1

   GLib is the low-level core library that forms the basis for    projects such as GTK+ and GNOME. It provides data structure    handling for C, portability wrappers, and interfaces for such    runtime functionality as an event loop, threads, dynamic loading,    and an object system.

   Multiple integer overflows in glib/gbase64.c in GLib before 2.20    allow context-dependent attackers to execute arbitrary code via a    long string that is converted either from or to a base64    representation.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2008-4316 to this issue.

d. vMA and Service Console update for openssl to 0.9.8e-12.el5

   SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full-    strength cryptography world-wide.

   Multiple denial of service flaws were discovered in OpenSSL's DTLS    implementation. A remote attacker could use these flaws to cause a    DTLS server to use excessive amounts of memory, or crash on an    invalid memory access or NULL pointer dereference.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2009-1377, CVE-2009-1378,    CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues.

   An input validation flaw was found in the handling of the BMPString    and UniversalString ASN1 string types in OpenSSL's    ASN1_STRING_print_ex() function. An attacker could use this flaw to    create a specially crafted X.509 certificate that could cause    applications using the affected function to crash when printing    certificate contents.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-0590 to this issue.

e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1

   It was discovered that BIND was incorrectly caching responses    without performing proper DNSSEC validation, when those responses    were received during the resolution of a recursive client query    that requested DNSSEC records but indicated that checking should be    disabled. A remote attacker could use this flaw to bypass the DNSSEC    validation check and perform a cache poisoning attack if the target    BIND server was receiving such client queries.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-4022 to this issue.

f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2.

   Two buffer over-read flaws were found in the way Expat handled    malformed UTF-8 sequences when processing XML files. A specially-    crafted XML file could cause applications using Expat to fail while    parsing the file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2009-3560 and CVE-2009-3720 to these    issues.

g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2

   A Red Hat specific patch used in the openssh packages as shipped in    Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain    ownership requirements for directories used as arguments for the    ChrootDirectory configuration options. A malicious user that also    has or previously had non-chroot shell access to a system could    possibly use this flaw to escalate their privileges and run    commands as any system user.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-2904 to this issue.

h. vMA and Service Console package ntp updated to    ntp-4.2.2p1-9.el5_4.1.i386.rpm

   A flaw was discovered in the way ntpd handled certain malformed NTP    packets. ntpd logged information about all such packets and replied    with an NTP packet that was treated as malformed when received by    another ntpd. A remote attacker could use this flaw to create an NTP    packet reply loop between two ntpd servers through a malformed packet    with a spoofed source IP address and port, causing ntpd on those    servers to use excessive amounts of CPU time and fill disk space with    log messages.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-3563 to this issue.   

i. vMA update for package kernel to 2.6.18-164.9.1.el5

   Updated vMA package kernel addresses the security issues listed    below.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2009-2849 to the security issue fixed in    kernel 2.6.18-128.2.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,    CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues    fixed in kernel 2.6.18-128.6.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,    CVE-2009-3726 to the security issues fixed in kernel    2.6.18-128.9.1

j. vMA 4.0 updates for the packages kpartx, libvolume-id,    device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed

   kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to    095-14.20.el5 device-mapper-multipath package updated to    0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus    updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5,    and ed package updated to 0.2-39.el5_2.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2008-3916, CVE-2009-1189 and    CVE-2009-0115 to these issues.

a. Updated ESX patch updates Service Console package ed

   ed is a line-oriented text editor, used to create, display, and    modify text files (both interactively and via shell scripts).

   A heap-based buffer overflow was discovered in the way ed, the GNU    line editor, processed long file names. An attacker could create a    file with a specially crafted name that could possibly execute an    arbitrary code when opened in the ed editor.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2008-3916 to this issue.

A heap-based buffer overflow was found in GNU ed that allowed context-dependent or user-assisted attackers to execute arbitrary code via a long filename (CVE-2008-3916).

This update provides GNU ed 1.0, which is not vulnerable to this issue.

ed is a line-oriented text editor, used to create, display, and modify text files (both interactively and via shell scripts). A heap-based buffer overflow was discovered in the way ed, the GNU line editor, processed long file names. An attacker could create a file with a specially crafted name that could possibly execute an arbitrary code when opened in the ed editor. (CVE-2008-3916) Users of ed should upgrade to this updated package, which contains a backported patch to resolve this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated ed package that fixes one security issue is now available for Red Hat Enterprise Linux 2.1, 3, 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

ed is a line-oriented text editor, used to create, display, and modify text files (both interactively and via shell scripts).

A heap-based buffer overflow was discovered in the way ed, the GNU line editor, processed long file names. An attacker could create a file with a specially crafted name that could possibly execute an arbitrary code when opened in the ed editor. (CVE-2008-3916)

Users of ed should upgrade to this updated package, which contains a backported patch to resolve this issue.

The remote host is affected by the vulnerability described in GLSA-200809-15 (GNU ed: User-assisted execution of arbitrary code)

    Alfredo Ortega from Core Security Technologies reported a heap-based     buffer overflow in the strip_escapes() function when processing overly     long filenames.
  Impact :

    A remote attacker could entice a user to process specially crafted     commands with ed or red, possibly resulting in the execution of     arbitrary code with the privileges of the user running the application.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
89737	VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)	Nessus	VMware ESX Local Security Checks	high
67757	Oracle Linux 5 : ed (ELSA-2008-0946)	Nessus	Oracle Linux Local Security Checks	critical
60484	Scientific Linux Security Update : ed on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
53709	openSUSE Security Update : ed (openSUSE-SU-2010:1084-1)	Nessus	SuSE Local Security Checks	high
51639	SuSE 10 Security Update : ed (ZYPP Patch Number 7301)	Nessus	SuSE Local Security Checks	high
51597	SuSE 11.1 Security Update : ed (SAT Patch Number 3792)	Nessus	SuSE Local Security Checks	high
44993	VMSA-2010-0004 : ESX Service Console and vMA third-party updates	Nessus	VMware ESX Local Security Checks	high
40388	VMSA-2009-0003 : ESX 2.5.5 patch 12 updates service console package ed	Nessus	VMware ESX Local Security Checks	high
37658	Mandriva Linux Security Advisory : ed (MDVSA-2008:200)	Nessus	Mandriva Local Security Checks	high
34676	Fedora 9 : ed-1.1-1.fc9 (2008-9263)	Nessus	Fedora Local Security Checks	high
34674	Fedora 8 : ed-1.1-1.fc8 (2008-9236)	Nessus	Fedora Local Security Checks	high
34467	RHEL 2.1 / 3 / 4 / 5 : ed (RHSA-2008:0946)	Nessus	Red Hat Local Security Checks	high
34463	CentOS 3 / 4 / 5 : ed (CESA-2008:0946)	Nessus	CentOS Local Security Checks	high
34273	GLSA-200809-15 : GNU ed: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2008-3916

critical

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high

high

high

high