检测

Linux Distros 未修补的漏洞: CVE-2021-42574

high Nessus 插件 ID 224189

语言:

简介

Linux/Unix 主机上安装的一个或多个程序包存在漏洞,但供应商表示不会修补此漏洞。

描述

Linux/Unix 主机中安装的一个或多个程序包受到一个漏洞影响,而供应商没有提供补丁程序。

 - 发现在 Unicode 规范 14.0 及之前版本的双向算法中存在问题。它允许通过控制序列对字符进行可视化重新排序,可用于构建呈现与编译器和解释器提取的标记逻辑顺序不同的逻辑的源代码。
 攻击者可利用此问题为接受 Unicode 的编译器编码源代码,从而以隐蔽方式将目标漏洞引入人工审查者程序。注意:Unicode Consortium 提供了以下替代方法来表示此问题。在国际文本的性质中发现一个问题,其可影响实现 Unicode 标准和 Unicode 双向算法(所有版本)支持的应用程序。由于文本显示行为,当文本包含从左到右和从右到左的字符时,标记的视觉顺序可能与其逻辑顺序不同。
 此外,为完全支持双向文本的要求所需的控制字符可能会进一步混淆标记的逻辑顺序。除非问题得到缓解,否则攻击者可通过特制的源代码,造成人工审查者感知到的标记排序与编译器/解释器等要处理的标记不符。Unicode Consortium 已在其“Unicode 技术报告 #36:Unicode 安全注意事项”文档中记录此类漏洞。Unicode Consortium 还在《Unicode 技术标准 #39》的“Unicode 安全机制”以及《Unicode 标准附件 #31》的“Unicode 标识符和模式语法”中提供此类问题的缓解措施指南。此外,BIDI 规范允许应用程序以可缓解程序文本中具误导性的视觉重新排序的方式来定制实现。请参阅《Unicode 标准附件 #9》“Unicode 双向算法”中的 HL4。
 (CVE-2021-42574)

请注意,Nessus 依赖供应商报告的程序包是否存在进行判断。

解决方案

目前尚未有任何已知的解决方案。

另见

https://access.redhat.com/security/cve/cve-2021-42574

https://security-tracker.debian.org/tracker/CVE-2021-42574

插件详情

严重性: High

ID: 224189

文件名: unpatched_CVE_2021_42574.nasl

版本: 1.2

类型: local

代理: unix

系列: Misc.

发布时间: 2025/3/5

最近更新时间: 2025/8/18

支持的传感器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

风险信息

VPR

风险因素: High

分数: 7.3

CVSS v2

风险因素: Medium

基本分数: 5.1

时间分数: 4

矢量: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS 分数来源: CVE-2021-42574

CVSS v3

风险因素: High

基本分数: 8.3

时间分数: 7.5

矢量: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

时间矢量: CVSS:3.0/E:P/RL:O/RC:C

漏洞信息

CPE: p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libubsan-devel, p-cpe:/a:centos:centos:libatomic, p-cpe:/a:redhat:enterprise_linux:gcc-objc%2b%2b, p-cpe:/a:debian:debian_linux:rustc, p-cpe:/a:centos:centos:gcc-toolset-9-libtsan-devel, p-cpe:/a:redhat:enterprise_linux:libmudflap-devel, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libstdc%2b%2b-devel, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-gcc, p-cpe:/a:redhat:enterprise_linux:golang, p-cpe:/a:redhat:enterprise_linux:libitm-devel, p-cpe:/a:redhat:enterprise_linux:mingw32-binutils, p-cpe:/a:redhat:enterprise_linux:libmudflap-static, p-cpe:/a:centos:centos:gcc-toolset-9-libquadmath-devel, p-cpe:/a:redhat:enterprise_linux:libtsan-static, p-cpe:/a:centos:centos:gcc-objc%2b%2b, p-cpe:/a:centos:centos:gcc-toolset-9-binutils-devel, p-cpe:/a:centos:centos:go-toolset, p-cpe:/a:centos:centos:gcc-toolset-9-libasan-devel, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-gcc-gfortran, p-cpe:/a:centos:centos:gcc-toolset-9-gcc-gfortran, p-cpe:/a:redhat:enterprise_linux:libasan-static, p-cpe:/a:centos:centos:libobjc, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libitm-devel, p-cpe:/a:redhat:enterprise_linux:libgnat, p-cpe:/a:centos:centos:gcc-go, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-binutils-devel, p-cpe:/a:centos:centos:libstdc%2b%2b, cpe:/o:centos:centos:7, p-cpe:/a:centos:centos:gcc-plugin-devel, p-cpe:/a:centos:centos:libmudflap, p-cpe:/a:centos:centos:libgnat-devel, p-cpe:/a:centos:centos:gcc-toolset-9-gcc, p-cpe:/a:redhat:enterprise_linux:libgo, p-cpe:/a:centos:centos:gcc, p-cpe:/a:centos:centos:libquadmath, p-cpe:/a:centos:centos:gcc-toolset-9-libatomic-devel, p-cpe:/a:redhat:enterprise_linux:gcc-go, p-cpe:/a:redhat:enterprise_linux:libstdc%2b%2b-devel, p-cpe:/a:centos:centos:libgcc, cpe:/o:centos:centos:8, p-cpe:/a:redhat:enterprise_linux:libgnat-devel, p-cpe:/a:redhat:enterprise_linux:libobjc, p-cpe:/a:redhat:enterprise_linux:mingw64-binutils, p-cpe:/a:redhat:enterprise_linux:libgfortran-static, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-liblsan-devel, p-cpe:/a:centos:centos:libstdc%2b%2b-devel, p-cpe:/a:centos:centos:libasan, p-cpe:/a:redhat:enterprise_linux:libgo-devel, p-cpe:/a:centos:centos:libmudflap-devel, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-gcc-plugin-devel, p-cpe:/a:centos:centos:gcc-toolset-9-gcc-plugin-devel, p-cpe:/a:centos:centos:libgo, p-cpe:/a:centos:centos:gcc-gfortran, p-cpe:/a:centos:centos:golang, p-cpe:/a:centos:centos:gcc-toolset-9-binutils, p-cpe:/a:redhat:enterprise_linux:libgfortran, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libquadmath-devel, p-cpe:/a:redhat:enterprise_linux:libgomp, p-cpe:/a:redhat:enterprise_linux:go-toolset, p-cpe:/a:redhat:enterprise_linux:gcc-gfortran, p-cpe:/a:centos:centos:libquadmath-static, p-cpe:/a:centos:centos:gcc-toolset-9-libubsan-devel, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libasan-devel, p-cpe:/a:redhat:enterprise_linux:libquadmath, p-cpe:/a:redhat:enterprise_linux:libgcc, p-cpe:/a:redhat:enterprise_linux:libstdc%2b%2b, p-cpe:/a:centos:centos:libmudflap-static, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-gcc-gdb-plugin, p-cpe:/a:redhat:enterprise_linux:gcc-c%2b%2b, p-cpe:/a:redhat:enterprise_linux:gcc, p-cpe:/a:centos:centos:libgo-static, p-cpe:/a:centos:centos:gcc-toolset-9-annobin, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:centos:centos:libgnat, p-cpe:/a:centos:centos:gcc-gnat, p-cpe:/a:centos:centos:gcc-toolset-9-libitm-devel, p-cpe:/a:redhat:enterprise_linux:libquadmath-devel, p-cpe:/a:centos:centos:mingw32-binutils, p-cpe:/a:redhat:enterprise_linux:libasan, p-cpe:/a:centos:centos:mingw64-binutils, p-cpe:/a:redhat:enterprise_linux:libstdc%2b%2b-docs, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-binutils, p-cpe:/a:centos:centos:libatomic-static, p-cpe:/a:centos:centos:libstdc%2b%2b-static, p-cpe:/a:centos:centos:libtsan, p-cpe:/a:redhat:enterprise_linux:gcc-gnat, p-cpe:/a:centos:centos:libtsan-static, p-cpe:/a:redhat:enterprise_linux:libitm-static, p-cpe:/a:centos:centos:gcc-toolset-9-libstdc%2b%2b-docs, p-cpe:/a:centos:centos:gcc-toolset-9-liblsan-devel, p-cpe:/a:redhat:enterprise_linux:gcc-plugin-devel, p-cpe:/a:centos:centos:libitm, p-cpe:/a:redhat:enterprise_linux:cpp, p-cpe:/a:redhat:enterprise_linux:mingw-binutils, p-cpe:/a:centos:centos:libasan-static, p-cpe:/a:centos:centos:libgnat-static, p-cpe:/a:centos:centos:libgfortran-static, p-cpe:/a:centos:centos:libquadmath-devel, p-cpe:/a:centos:centos:gcc-toolset-9-gcc-gdb-plugin, p-cpe:/a:centos:centos:libstdc%2b%2b-docs, p-cpe:/a:redhat:enterprise_linux:libgnat-static, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libtsan-devel, p-cpe:/a:centos:centos:gcc-toolset-9-gcc-c%2b%2b, p-cpe:/a:centos:centos:libitm-devel, p-cpe:/a:redhat:enterprise_linux:libitm, p-cpe:/a:redhat:enterprise_linux:libtsan, p-cpe:/a:centos:centos:gcc-toolset-9-libstdc%2b%2b-devel, p-cpe:/a:redhat:enterprise_linux:libatomic-static, p-cpe:/a:redhat:enterprise_linux:libstdc%2b%2b-static, p-cpe:/a:centos:centos:cpp, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-gcc-c%2b%2b, p-cpe:/a:redhat:enterprise_linux:gcc-objc, p-cpe:/a:centos:centos:libgfortran, p-cpe:/a:centos:centos:gcc-objc, p-cpe:/a:centos:centos:libgo-devel, p-cpe:/a:redhat:enterprise_linux:mingw-binutils-generic, p-cpe:/a:redhat:enterprise_linux:libmudflap, p-cpe:/a:centos:centos:gcc-c%2b%2b, p-cpe:/a:redhat:enterprise_linux:libatomic, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-annobin, p-cpe:/a:centos:centos:mingw-binutils-generic, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libatomic-devel, p-cpe:/a:redhat:enterprise_linux:libgo-static, p-cpe:/a:centos:centos:mingw-binutils, p-cpe:/a:redhat:enterprise_linux:libquadmath-static, p-cpe:/a:redhat:enterprise_linux:gcc-toolset-9-libstdc%2b%2b-docs, p-cpe:/a:centos:centos:libitm-static, p-cpe:/a:centos:centos:libgomp

必需的 KB 项: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched, Host/OS/identifier

可利用: true

易利用性: Exploits are available

漏洞发布日期: 2021/10/28

参考资料信息

CVE: CVE-2021-42574