Detections
Analytics

SUSE SLES11 Security Update : zsh (SUSE-SU-2022:14910-1)

critical Nessus Plugin ID 159025

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:14910-1 advisory.

 - zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where env_reset has been disabled. (CVE-2014-10070)

 - In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the >& fd syntax.
 (CVE-2014-10071)

 - In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very long directory paths for symbolic links. (CVE-2014-10072)

 - In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters. (CVE-2016-10714)

 - In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. (CVE-2017-18205)

 - In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. (CVE-2017-18206)

 - An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line. (CVE-2018-0502)

 - zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function.
 A local attacker could exploit this to cause a denial of service. (CVE-2018-1071)

 - Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned path.
 If the user affected is privileged, this leads to privilege escalation. (CVE-2018-1083)

 - An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.
 (CVE-2018-13259)

 - In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. (CVE-2018-7549)

 - In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid(). (CVE-2019-20044)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected zsh package.

See Also

https://bugzilla.suse.com/1082885

https://bugzilla.suse.com/1082975

https://bugzilla.suse.com/1082977

https://bugzilla.suse.com/1082991

https://bugzilla.suse.com/1082998

https://bugzilla.suse.com/1083002

https://bugzilla.suse.com/1083250

https://bugzilla.suse.com/1084656

https://bugzilla.suse.com/1087026

https://bugzilla.suse.com/1107294

https://bugzilla.suse.com/1107296

https://bugzilla.suse.com/1163882

https://www.suse.com/security/cve/CVE-2014-10070

https://www.suse.com/security/cve/CVE-2014-10071

https://www.suse.com/security/cve/CVE-2014-10072

https://www.suse.com/security/cve/CVE-2016-10714

https://www.suse.com/security/cve/CVE-2017-18205

https://www.suse.com/security/cve/CVE-2017-18206

https://www.suse.com/security/cve/CVE-2018-0502

https://www.suse.com/security/cve/CVE-2018-1071

https://www.suse.com/security/cve/CVE-2018-1083

https://www.suse.com/security/cve/CVE-2018-13259

https://www.suse.com/security/cve/CVE-2018-7549

https://www.suse.com/security/cve/CVE-2019-20044

http://www.nessus.org/u?d092cdb8

Plugin Details

Severity: Critical

ID: 159025

File Name: suse_SU-2022-14910-1.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/17/2022

Updated: 7/14/2023

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-13259

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:11, p-cpe:/a:novell:suse_linux:zsh

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/14/2022

Vulnerability Publication Date: 2/27/2018

Reference Information

CVE: CVE-2014-10070, CVE-2014-10071, CVE-2014-10072, CVE-2016-10714, CVE-2017-18205, CVE-2017-18206, CVE-2018-0502, CVE-2018-1071, CVE-2018-1083, CVE-2018-13259, CVE-2018-7549, CVE-2019-20044

SuSE: SUSE-SU-2022:14910-1