{"lastseen": "2019-10-04T12:19:23", "references": ["https://launchpad.net/bugs/1673627", "http://www.securityfocus.com/bid/97154", "https://www.ubuntu.com/usn/usn-3246-1/", "http://www.debian.org/security/2017/dsa-3823", "https://www.debian.org/security/2017/dsa-3823"], "scheme": null, "description": "dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code, which was intended to run as an unprivileged user, as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS.", "edition": 2, "reporter": "cve@mitre.org", "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "published": "2017-03-28T01:59:00", "title": "CVE-2017-6964", "type": "cve", "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310890876", "OPENVAS:703823", "OPENVAS:1361412562310703823", "OPENVAS:1361412562310843112"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7ABCAE7E25EC5DC69D622315D9BE6721"]}, {"type": "debian", "idList": ["DEBIAN:DLA-876-1:D4ECC", "DEBIAN:DSA-3823-1:589F1"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3823.NASL", "UBUNTU_USN-3246-1.NASL", "DEBIAN_DLA-876.NASL"]}, {"type": "ubuntu", "idList": ["USN-3246-1"]}], "modified": "2019-10-04T12:19:23", "rev": 2}, "score": {"value": 4.1, "vector": "NONE", "modified": "2019-10-04T12:19:23", "rev": 2}, "vulnersScore": 4.1}, "cwe": ["CWE-252"], "bulletinFamily": "NVD", "affectedSoftware": [{"name": "canonical ubuntu_linux", "operator": "eq", "version": "16.04"}, {"name": "debian debian_linux", "operator": "eq", "version": "8.0"}, {"name": "canonical ubuntu_linux", "operator": "eq", "version": "16.10"}, {"name": "canonical ubuntu_linux", "operator": "eq", "version": "14.04"}, {"name": "canonical ubuntu_linux", "operator": "eq", "version": "12.04"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvelist": ["CVE-2017-6964"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:debian:debian_linux:8.0", "cpe:/a:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:16.10", "cpe:/a:canonical:ubuntu_linux:16.10", "cpe:/a:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2017-6964", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6964", "viewCount": 91, "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*"]}

{"openvas": [{"lastseen": "2020-01-29T20:07:21", "description": "Ilja Van Sprundel discovered that eject (a tool to eject CD/DVD drives) did not

properly handle errors returned from setuid/setgid.", "edition": 10, "published": "2018-01-12T00:00:00", "title": "Debian LTS: Security Advisory for eject (DLA-876-1)", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6964"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310890876", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890876", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH

# Text descriptions are largely excerpted from the referenced

# advisory, and are Copyright (C) of the respective author(s)

#

# SPDX-License-Identifier: GPL-2.0-or-later

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.



if(description)

{

script_oid(\"1.3.6.1.4.1.25623.1.0.890876\");

script_version(\"2020-01-29T08:22:52+0000\");

script_cve_id(\"CVE-2017-6964\");

script_name(\"Debian LTS: Security Advisory for eject (DLA-876-1)\");

script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");

script_tag(name:\"creation_date\", value:\"2018-01-12 00:00:00 +0100 (Fri, 12 Jan 2018)\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name:\"solution_type\", value:\"VendorFix\");

script_tag(name:\"qod_type\", value:\"package\");



script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00034.html\");



script_category(ACT_GATHER_INFO);



script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");

script_family(\"Debian Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");



script_tag(name:\"affected\", value:\"eject on Debian Linux\");



script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in eject version

2.1.5+deb1+cvs20081104-13+deb7u1.



We recommend that you upgrade your eject packages.\");



script_tag(name:\"summary\", value:\"Ilja Van Sprundel discovered that eject (a tool to eject CD/DVD drives) did not

properly handle errors returned from setuid/setgid.\");



script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");



exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



res = \"\";

report = \"\";

if(!isnull(res = isdpkgvuln(pkg:\"eject\", ver:\"2.1.5+deb1+cvs20081104-13+deb7u1\", rls:\"DEB7\"))) {

report += res;

}



if(report != \"\") {

security_message(data:report);

} else if(__pkg_match) {

exit(99);

}

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:37", "description": "The remote host is missing an update for the ", "edition": 9, "published": "2017-03-28T00:00:00", "title": "Ubuntu Update for eject USN-3246-1", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6964"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310843112", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843112", "sourceData": "###############################################################################

# OpenVAS Vulnerability Test

#

# Ubuntu Update for eject USN-3246-1

#

# Authors:

# System Generated Check

#

# Copyright:

# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License version 2

# (or any later version), as published by the Free Software Foundation.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

###############################################################################



if(description)

{

script_oid(\"1.3.6.1.4.1.25623.1.0.843112\");

script_version(\"$Revision: 14140 $\");

script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");

script_tag(name:\"creation_date\", value:\"2017-03-28 06:30:13 +0200 (Tue, 28 Mar 2017)\");

script_cve_id(\"CVE-2017-6964\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name:\"qod_type\", value:\"package\");

script_name(\"Ubuntu Update for eject USN-3246-1\");

script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'eject'

package(s) announced via the referenced advisory.\");

script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");

script_tag(name:\"insight\", value:\"Ilja Van Sprundel discovered that

dmcrypt-get-device incorrectly checked setuid and setgid return values. A local

attacker could use this issue to execute code as an administrator.\");

script_tag(name:\"affected\", value:\"eject on Ubuntu 16.10,

Ubuntu 16.04 LTS,

Ubuntu 14.04 LTS,

Ubuntu 12.04 LTS\");

script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");



script_xref(name:\"USN\", value:\"3246-1\");

script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3246-1/\");

script_tag(name:\"solution_type\", value:\"VendorFix\");

script_category(ACT_GATHER_INFO);

script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");

script_family(\"Ubuntu Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|12\\.04 LTS|16\\.04 LTS)\");



exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



release = dpkg_get_ssh_release();

if(!release)

exit(0);



res = \"\";



if(release == \"UBUNTU14.04 LTS\")

{



if ((res = isdpkgvuln(pkg:\"eject\", ver:\"2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if (__pkg_match) exit(99);

exit(0);

}





if(release == \"UBUNTU16.10\")

{



if ((res = isdpkgvuln(pkg:\"eject\", ver:\"2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1\", rls:\"UBUNTU16.10\")) != NULL)

{

security_message(data:res);

exit(0);

}



if (__pkg_match) exit(99);

exit(0);

}





if(release == \"UBUNTU12.04 LTS\")

{



if ((res = isdpkgvuln(pkg:\"eject\", ver:\"2.1.5+deb1+cvs20081104-9ubuntu0.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if (__pkg_match) exit(99);

exit(0);

}





if(release == \"UBUNTU16.04 LTS\")

{



if ((res = isdpkgvuln(pkg:\"eject\", ver:\"2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if (__pkg_match) exit(99);

exit(0);

}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to

check if a given device is an encrypted device handled by devmapper, and

used in eject, does not check return values from setuid() and setgid()

when dropping privileges.", "edition": 5, "published": "2017-03-28T00:00:00", "title": "Debian Security Advisory DSA 3823-1 (eject - security update)", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6964"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703823", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703823", "sourceData": "# OpenVAS Vulnerability Test

# $Id: deb_3823.nasl 14280 2019-03-18 14:50:45Z cfischer $

# Auto-generated from advisory DSA 3823-1 using nvtgen 1.0

# Script version: 1.0

#

# Author:

# Greenbone Networks

#

# Copyright:

# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net

# Text descriptions are largely excerpted from the referenced

# advisory, and are Copyright (c) the respective author(s)

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

#



if(description)

{

script_oid(\"1.3.6.1.4.1.25623.1.0.703823\");

script_version(\"$Revision: 14280 $\");

script_cve_id(\"CVE-2017-6964\");

script_name(\"Debian Security Advisory DSA 3823-1 (eject - security update)\");

script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");

script_tag(name:\"creation_date\", value:\"2017-03-28 00:00:00 +0200 (Tue, 28 Mar 2017)\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name:\"solution_type\", value:\"VendorFix\");

script_tag(name:\"qod_type\", value:\"package\");



script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3823.html\");



script_category(ACT_GATHER_INFO);



script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");

script_family(\"Debian Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");

script_tag(name:\"affected\", value:\"eject on Debian Linux\");

script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.1+deb8u1.



For the unstable distribution (sid), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.2.



We recommend that you upgrade your eject packages.\");

script_tag(name:\"summary\", value:\"Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to

check if a given device is an encrypted device handled by devmapper, and

used in eject, does not check return values from setuid() and setgid()

when dropping privileges.\");

script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");



exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



res = \"\";

report = \"\";

if((res = isdpkgvuln(pkg:\"eject\", ver:\"2.1.5+deb1+cvs20081104-13.1+deb8u1\", rls:\"DEB8\")) != NULL) {

report += res;

}



if(report != \"\") {

security_message(data:report);

} else if(__pkg_match) {

exit(99);

}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:57:26", "description": "Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to

check if a given device is an encrypted device handled by devmapper, and

used in eject, does not check return values from setuid() and setgid()

when dropping privileges.", "edition": 2, "published": "2017-03-28T00:00:00", "title": "Debian Security Advisory DSA 3823-1 (eject - security update)", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6964"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703823", "id": "OPENVAS:703823", "sourceData": "# OpenVAS Vulnerability Test

# $Id: deb_3823.nasl 6607 2017-07-07 12:04:25Z cfischer $

# Auto-generated from advisory DSA 3823-1 using nvtgen 1.0

# Script version: 1.0

#

# Author:

# Greenbone Networks

#

# Copyright:

# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net

# Text descriptions are largely excerpted from the referenced

# advisory, and are Copyright (c) the respective author(s)

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

#





if(description)

{

script_id(703823);

script_version(\"$Revision: 6607 $\");

script_cve_id(\"CVE-2017-6964\");

script_name(\"Debian Security Advisory DSA 3823-1 (eject - security update)\");

script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");

script_tag(name: \"creation_date\", value: \"2017-03-28 00:00:00 +0200 (Tue, 28 Mar 2017)\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name: \"solution_type\", value: \"VendorFix\");

script_tag(name: \"qod_type\", value: \"package\");



script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3823.html\");



script_category(ACT_GATHER_INFO);



script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");

script_family(\"Debian Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");

script_tag(name: \"affected\", value: \"eject on Debian Linux\");

script_tag(name: \"insight\", value: \"This little program will eject CD-ROMs (assuming your drive supports

the CDROMEJECT ioctl). It also allows setting the autoeject feature.\");

script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.1+deb8u1.



For the unstable distribution (sid), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.2.



We recommend that you upgrade your eject packages.\");

script_tag(name: \"summary\", value: \"Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to

check if a given device is an encrypted device handled by devmapper, and

used in eject, does not check return values from setuid() and setgid()

when dropping privileges.\");

script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");



exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



res = \"\";

report = \"\";

if ((res = isdpkgvuln(pkg:\"eject\", ver:\"2.1.5+deb1+cvs20081104-13.1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}



if (report != \"\") {

security_message(data:report);

} else if (__pkg_match) {

exit(99); # Not vulnerable.

}

", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:34:09", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6964"], "description": "Ilja Van Sprundel discovered that dmcrypt-get-device incorrectly checked setuid

and setgid return values. A local attacker could use this issue to execute code

as an administrator.", "edition": 5, "modified": "2017-03-27T00:00:00", "published": "2017-03-27T00:00:00", "id": "USN-3246-1", "href": "https://ubuntu.com/security/notices/USN-3246-1", "title": "Eject vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-14T13:32:27", "description": "Ilja Van Sprundel discovered that eject (a tool to eject CD/DVD

drives) did not properly handle errors returned from setuid/setgid.



For Debian 7 'Wheezy', this issue has been fixed in eject version

2.1.5+deb1+cvs20081104-13+deb7u1.



We recommend that you upgrade your eject packages.



NOTE: Tenable Network Security has extracted the preceding description

block directly from the DLA security advisory. Tenable has attempted

to automatically clean and format it as much as possible without

introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "title": "Debian DLA-876-1 : eject security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6964"], "modified": "2017-03-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:eject", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-876.NASL", "href": "https://www.tenable.com/plugins/nessus/99042", "sourceData": "#%NASL_MIN_LEVEL 80502

#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Debian Security Advisory DLA-876-1. The text

# itself is copyright (C) Software in the Public Interest, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(99042);

script_version(\"3.8\");

script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");



script_cve_id(\"CVE-2017-6964\");



script_name(english:\"Debian DLA-876-1 : eject security update\");

script_summary(english:\"Checks dpkg output for the updated package.\");



script_set_attribute(

attribute:\"synopsis\",

value:\"The remote Debian host is missing a security update.\"

);

script_set_attribute(

attribute:\"description\",

value:

\"Ilja Van Sprundel discovered that eject (a tool to eject CD/DVD

drives) did not properly handle errors returned from setuid/setgid.



For Debian 7 'Wheezy', this issue has been fixed in eject version

2.1.5+deb1+cvs20081104-13+deb7u1.



We recommend that you upgrade your eject packages.



NOTE: Tenable Network Security has extracted the preceding description

block directly from the DLA security advisory. Tenable has attempted

to automatically clean and format it as much as possible without

introducing additional issues.\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00034.html\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://packages.debian.org/source/wheezy/eject\"

);

script_set_attribute(

attribute:\"solution\",

value:\"Upgrade the affected eject package.\"

);

script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");

script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");

script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");

script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");

script_set_attribute(attribute:\"exploit_available\", value:\"false\");



script_set_attribute(attribute:\"plugin_type\", value:\"local\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eject\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");



script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");

script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");

script_end_attributes();



script_category(ACT_GATHER_INFO);

script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");

script_family(english:\"Debian Local Security Checks\");



script_dependencies(\"ssh_get_info.nasl\");

script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");



exit(0);

}





include(\"audit.inc\");

include(\"debian_package.inc\");





if (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");

if (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);





flag = 0;

if (deb_check(release:\"7.0\", prefix:\"eject\", reference:\"2.1.5+deb1+cvs20081104-13+deb7u1\")) flag++;



if (flag)

{

if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());

else security_hole(0);

exit(0);

}

else audit(AUDIT_HOST_NOT, \"affected\");

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-04T06:08:13", "description": "Ilja Van Sprundel discovered that dmcrypt-get-device incorrectly

checked setuid and setgid return values. A local attacker could use

this issue to execute code as an administrator.



Note that Tenable Network Security has extracted the preceding

description block directly from the Ubuntu security advisory. Tenable

has attempted to automatically clean and format it as much as possible

without introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-28T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : eject vulnerability (USN-3246-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6964"], "modified": "2020-09-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:16.10", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:eject", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3246-1.NASL", "href": "https://www.tenable.com/plugins/nessus/99025", "sourceData": "#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Ubuntu Security Notice USN-3246-1. The text

# itself is copyright (C) Canonical, Inc. See

# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered

# trademark of Canonical, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(99025);

script_version(\"3.10\");

script_cvs_date(\"Date: 2019/09/18 12:31:46\");



script_cve_id(\"CVE-2017-6964\");

script_xref(name:\"USN\", value:\"3246-1\");



script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : eject vulnerability (USN-3246-1)\");

script_summary(english:\"Checks dpkg output for updated package.\");



script_set_attribute(

attribute:\"synopsis\",

value:\"The remote Ubuntu host is missing a security-related patch.\"

);

script_set_attribute(

attribute:\"description\",

value:

\"Ilja Van Sprundel discovered that dmcrypt-get-device incorrectly

checked setuid and setgid return values. A local attacker could use

this issue to execute code as an administrator.



Note that Tenable Network Security has extracted the preceding

description block directly from the Ubuntu security advisory. Tenable

has attempted to automatically clean and format it as much as possible

without introducing additional issues.\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://usn.ubuntu.com/3246-1/\"

);

script_set_attribute(attribute:\"solution\", value:\"Update the affected eject package.\");

script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");

script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");

script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");

script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");

script_set_attribute(attribute:\"exploit_available\", value:\"false\");



script_set_attribute(attribute:\"plugin_type\", value:\"local\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:eject\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");



script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/28\");

script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/27\");

script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/28\");

script_set_attribute(attribute:\"generated_plugin\", value:\"current\");

script_end_attributes();



script_category(ACT_GATHER_INFO);

script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");

script_family(english:\"Ubuntu Local Security Checks\");



script_dependencies(\"ssh_get_info.nasl\");

script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");



exit(0);

}





include(\"audit.inc\");

include(\"ubuntu.inc\");

include(\"misc_func.inc\");



if ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item(\"Host/Ubuntu/release\");

if ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");

release = chomp(release);

if (! preg(pattern:\"^(12\\.04|14\\.04|16\\.04|16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 16.04 / 16.10\", \"Ubuntu \" + release);

if ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);



cpu = get_kb_item(\"Host/cpu\");

if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);

if (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);



flag = 0;



if (ubuntu_check(osver:\"12.04\", pkgname:\"eject\", pkgver:\"2.1.5+deb1+cvs20081104-9ubuntu0.1\")) flag++;

if (ubuntu_check(osver:\"14.04\", pkgname:\"eject\", pkgver:\"2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1\")) flag++;

if (ubuntu_check(osver:\"16.04\", pkgname:\"eject\", pkgver:\"2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1\")) flag++;

if (ubuntu_check(osver:\"16.10\", pkgname:\"eject\", pkgver:\"2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1\")) flag++;



if (flag)

{

security_report_v4(

port : 0,

severity : SECURITY_HOLE,

extra : ubuntu_report_get()

);

exit(0);

}

else

{

tested = ubuntu_pkg_tests_get();

if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);

else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"eject\");

}

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-04T01:24:34", "description": "Ilja Van Sprundel discovered that the dmcrypt-get-device helper used

to check if a given device is an encrypted device handled by

devmapper, and used in eject, does not check return values from

setuid() and setgid() when dropping privileges.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "title": "Debian DSA-3823-1 : eject - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6964"], "modified": "2020-09-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:eject"], "id": "DEBIAN_DSA-3823.NASL", "href": "https://www.tenable.com/plugins/nessus/99046", "sourceData": "#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Debian Security Advisory DSA-3823. The text

# itself is copyright (C) Software in the Public Interest, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(99046);

script_version(\"3.10\");

script_cvs_date(\"Date: 2018/11/10 11:49:38\");



script_cve_id(\"CVE-2017-6964\");

script_xref(name:\"DSA\", value:\"3823\");



script_name(english:\"Debian DSA-3823-1 : eject - security update\");

script_summary(english:\"Checks dpkg output for the updated package\");



script_set_attribute(

attribute:\"synopsis\",

value:\"The remote Debian host is missing a security-related update.\"

);

script_set_attribute(

attribute:\"description\",

value:

\"Ilja Van Sprundel discovered that the dmcrypt-get-device helper used

to check if a given device is an encrypted device handled by

devmapper, and used in eject, does not check return values from

setuid() and setgid() when dropping privileges.\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858872\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://packages.debian.org/source/jessie/eject\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://www.debian.org/security/2017/dsa-3823\"

);

script_set_attribute(

attribute:\"solution\",

value:

\"Upgrade the eject packages.



For the stable distribution (jessie), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.1+deb8u.\"

);

script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");

script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");

script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");

script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");

script_set_attribute(attribute:\"exploit_available\", value:\"false\");



script_set_attribute(attribute:\"plugin_type\", value:\"local\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eject\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");



script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");

script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");

script_end_attributes();



script_category(ACT_GATHER_INFO);

script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");

script_family(english:\"Debian Local Security Checks\");



script_dependencies(\"ssh_get_info.nasl\");

script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");



exit(0);

}





include(\"audit.inc\");

include(\"debian_package.inc\");





if (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");

if (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);





flag = 0;

if (deb_check(release:\"8.0\", prefix:\"eject\", reference:\"2.1.5+deb1+cvs20081104-13.1+deb8u\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"eject-udeb\", reference:\"2.1.5+deb1+cvs20081104-13.1+deb8u\")) flag++;



if (flag)

{

if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());

else security_hole(0);

exit(0);

}

else audit(AUDIT_HOST_NOT, \"affected\");

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-12T00:59:58", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6964"], "description": "- -------------------------------------------------------------------------

Debian Security Advisory DSA-3823-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 28, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : eject

CVE ID : CVE-2017-6964

Debian Bug : 858872



Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to

check if a given device is an encrypted device handled by devmapper, and

used in eject, does not check return values from setuid() and setgid()

when dropping privileges.



For the stable distribution (jessie), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.1+deb8u1.



For the unstable distribution (sid), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.2.



We recommend that you upgrade your eject packages.



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

", "edition": 14, "modified": "2017-03-28T15:41:46", "published": "2017-03-28T15:41:46", "id": "DEBIAN:DSA-3823-1:589F1", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00079.html", "title": "[SECURITY] [DSA 3823-1] eject security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6964"], "description": "Package : eject

Version : 2.1.5+deb1+cvs20081104-13+deb7u1

CVE ID : CVE-2017-6964

Debian Bug : #858872



Ilja Van Sprundel discovered that eject (a tool to eject CD/DVD drives) did not

properly handle errors returned from setuid/setgid.



For Debian 7 "Wheezy", this issue has been fixed in eject version

2.1.5+deb1+cvs20081104-13+deb7u1.



We recommend that you upgrade your eject packages.





Regards,



- --

,''`.

: :' : Chris Lamb

`. `'` lamby@debian.org / chris-lamb.co.uk

`-



", "edition": 2, "modified": "2017-03-28T08:52:42", "published": "2017-03-28T08:52:42", "id": "DEBIAN:DLA-876-1:D4ECC", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201703/msg00034.html", "title": "[SECURITY] [DLA 876-1] eject security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:59", "bulletinFamily": "software", "cvelist": ["CVE-2017-6964"], "description": "#



# Severity



Medium



# Vendor



Canonical Ubuntu



# Versions Affected



* Canonical Ubuntu 14.04



# Description



Ilja Van Sprundel discovered that dmcrypt-get-device incorrectly checked setuid and setgid return values. A local attacker could use this issue to execute code as an administrator.



# Affected Cloud Foundry Products and Versions



_Severity is medium unless otherwise noted._



* Cloud Foundry BOSH stemcells are vulnerable, including:

* 3151.x versions prior to 3151.16

* 3263.x versions prior to 3263.24

* 3312.x versions prior to 3312.24

* 3363.x versions prior to 3363.20

* All other stemcells not listed.

* All versions of Cloud Foundry cflinuxfs2 prior to 1.112.0



# Mitigation



OSS users are strongly encouraged to follow one of the mitigations below:



* The Cloud Foundry project recommends upgrading the following BOSH stemcells:

* Upgrade 3151.x versions to 3151.16 or later

* Upgrade 3263.x versions to 3263.24 or later

* Upgrade 3312.x versions to 3312.24 or later

* Upgrade 3363.x versions to 3363.20 or later

* All other stemcells should be upgraded to the latest version.

* The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 versions 1.112.0 or later.



# References



* [USN-3246-1](<http://www.ubuntu.com/usn/usn-3246-1/>)

* [CVE-2017-6964](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6964>)

* [bosh.io](<https://bosh.io>)

", "edition": 5, "modified": "2017-05-01T00:00:00", "published": "2017-05-01T00:00:00", "id": "CFOUNDRY:7ABCAE7E25EC5DC69D622315D9BE6721", "href": "https://www.cloudfoundry.org/blog/usn-3246-1/", "title": "USN-3246-1: Eject vulnerability | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}