CBL Mariner 2.0 Security Update: gcc (CVE-2023-4039)

medium Nessus Plugin ID 182159

Synopsis

The remote CBL Mariner host is missing one or more security updates.

Description

The version of gcc installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-4039 advisory.

- **DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. (CVE-2023-4039)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2023-4039

Plugin Details

Severity: Medium

ID: 182159

File Name: mariner_gcc_CVE-2023-4039.nasl

Version: 1.1

Type: local

Published: 9/28/2023

Updated: 7/4/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-4039

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:microsoft:cbl-mariner:libgcc, p-cpe:/a:microsoft:cbl-mariner:gcc-c%2b%2b, p-cpe:/a:microsoft:cbl-mariner:libbacktrace-static, p-cpe:/a:microsoft:cbl-mariner:gcc-debuginfo, p-cpe:/a:microsoft:cbl-mariner:libstdc%2b%2b, x-cpe:/o:microsoft:cbl-mariner, p-cpe:/a:microsoft:cbl-mariner:libgcc-devel, p-cpe:/a:microsoft:cbl-mariner:libstdc%2b%2b-devel, p-cpe:/a:microsoft:cbl-mariner:gcc, p-cpe:/a:microsoft:cbl-mariner:libgomp, p-cpe:/a:microsoft:cbl-mariner:libgcc-atomic, p-cpe:/a:microsoft:cbl-mariner:libgomp-devel, p-cpe:/a:microsoft:cbl-mariner:gfortran

Required KB Items: Host/local_checks_enabled, Host/CBLMariner/release, Host/CBLMariner/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/12/2023

Vulnerability Publication Date: 9/8/2023

Reference Information

CVE: CVE-2023-4039