CLD-366 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-1000161 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) nmap
Deficiency Type SECURITY
Date Created 2018-04-18 18:17:25
Date Last Modified 2018-04-19 12:51:04

Version Specific Information:

Cucumber 1.0 i686fixed in nmap-7.70-i686-1
Cucumber 1.0 x86_64fixed in nmap-7.70-x86_64-1

Cucumber 1.1 i686 fixed in nmap-7.70-i686-1
Cucumber 1.1 x86_64 fixed in nmap-7.70-x86_64-1

Details:

=================================== Overview ===================================

nmap version 6.49BETA6 through 7.60, up to and including SVN revision 37147
contains a Directory Traversal vulnerability in NSE script http-fetch that can
result in file overwrite as the user is running it. This attack appears to be
exploitable via a victim that runs NSE script http-fetch against a malicious
web site. This vulnerability appears to have been fixed in 7.7. 

============================ Additional Information ============================

From https://nmap.org/changelog#7.70:

[NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
traversal vulnerability) in the way the non-default http-fetch script sanitized
URLs. If a user manualy ran this NSE script against a malicious web server, the
server could potentially (depending on NSE arguments used) cause files to be
saved outside the intended destination directory. Existing files couldn't be
overwritten. We fixed http-fetch, audited our other scripts to ensure they
didn't make this mistake, and updated the httpspider library API to protect
against this by default. [nnposter, Daniel Miller] 

================================= Our Analysis =================================

----- Affected Products -----
Nmap versions 6.49BETA6 through 7.60 (inclusive) are vulnerable. This includes
nmap as originally packaged in Cucumber Linux 1.0 and 1.1 (which used nmap
7.31).

----- Scope and Impact of this Vulnerability -----
Allows for a malicious web server, when scanned by nmap, to write to a file
outside of the intended directory on the scanning machine.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to nmap 7.70 or later.

================================= Our Solution =================================

We have upgraded to nmap 7.70.