Detections
Analytics

RHEL 7 : etcd (Unpatched Vulnerability)

critical Nessus Plugin ID 196026

Synopsis

The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.

Description

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

 - etcd: Cross-site request forgery via crafted local POST forms (CVE-2018-1098)

 - etcd: Information discosure via debug function (CVE-2021-28235)

 - DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
 (CVE-2018-1099)

 - In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700). (CVE-2020-15113)

 - In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway. (CVE-2020-15114)

 - etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute- force users' passwords with little computational effort. (CVE-2020-15115)

 - In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
 (CVE-2020-15136)

 - Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability. (CVE-2022-34038)

 - etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds. (CVE-2023-32082)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

Solution

The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation guidance.

Plugin Details

Severity: Critical

ID: 196026

File Name: redhat_unpatched-etcd-rhel7.nasl

Version: 1.0

Type: local

Agent: unix

Published: 5/11/2024

Updated: 5/11/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-1098

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-28235

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:etcd, p-cpe:/a:redhat:enterprise_linux:etcd3

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/3/2018

Reference Information

CVE: CVE-2018-1098, CVE-2018-1099, CVE-2020-15113, CVE-2020-15114, CVE-2020-15115, CVE-2020-15136, CVE-2021-28235, CVE-2022-34038, CVE-2023-32082