#### THREAT LEVEL: Red.
For a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/Microsofts-Patch-Tuesday-Security-Updates-for-November_TA202147.pdf>)
For the month of November, Microsoft has reported a total of 55 vulnerabilities, 6(CVE-2021-38666, CVE-2021-26443, CVE-2021-42279, CVE-2021-42298, CVE-2021-42316, CVE-2021-3711) of which have been rated critical. Four (CVE-2021-43208, CVE-2021-43209) of these vulnerabilities have been publicly known and two (CVE-2021-42292, CVE-2021-42321) of them have been exploited in the wild. Patches of all these vulnerabilities have been published by Microsoft. This Advisory only focuses on the important 12 vulnerabilities.
#### Vulnerability Details
  
* 
#### Patch Link
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43208>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43209>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38631>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41371>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38666>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26443>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42279>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42298>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42316>
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711>
#### References
<https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/>
<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>
{"qualysblog": [{"lastseen": "2021-11-26T18:36:54", "description": "### **Microsoft Patch Tuesday \u2013 November 2021**\n\nMicrosoft patched 55 vulnerabilities in their November 2021 Patch Tuesday release, of which six are rated as critical severity and six were previously reported as zero-days.\n\n#### **Critical Microsoft Vulnerabilities Patched**\n\n[CVE-2021-42298](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>) - Microsoft Defender Remote Code Execution Vulnerability\n\nThis vulnerability in Microsoft Defender can be exploited using Maliciously crafted files. The remote code execution vulnerability will be triggered when the malicious file is opened by a user or scanned automatically via an outdated version of Microsoft Defender\n\n[CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>) - Chakra Scripting Engine Memory Corruption Vulnerability\n\nThe Buffer Overflow vulnerability is because of a boundary error issue in Chakra Scripting Engine, which allows remote attackers to execute arbitrary code by initiating the memory corruption.\n\n[CVE-2021-42316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316>) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability\n\nThis vulnerability is a Remote Code Execution bug in on-prem Microsoft Dynamics 365 setups. There are very few public details regarding this vulnerability.\n\n[CVE-2021-26443](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26443>) - Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability\n\nThe vulnerability exists when a VM Guest fails to handle communication on a VMBus Channel. An authenticated user can exploit this vulnerability by sending a specially crafted communication on the VMBus Channel from the Guest to the Host, allowing the attacker to execute arbitrary code on the Host.\n\n[CVE-2021-3711](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3711>) - OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow\n\nThis is a Buffer Overflow vulnerability in OpenSSL software which is embedded in Microsoft Visual Studio. The vulnerability was introduced due to a miscalculation in the buffer size in OpenSSL's SM2 function. An attacker can exploit this vulnerability to crash the application and potentially execute arbitrary code with the user's permission to run the application.\n\n[CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>) - Remote Desktop Client Remote Code Execution Vulnerability\n\nThis vulnerability in Remote Desktop Clients can be exploited by an attacker who controls a Remote Desktop Server. The attacker can trick a user into connecting to the compromised/malicious Desktop Server, resulting in remote code execution.\n\n#### **Other High Priority Actively Exploited Vulnerabilities:**\n\n[CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>) - Microsoft Exchange Server Remote Code Execution Vulnerability\n\nThis is an actively exploited vulnerability that affects Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016. This is a post-authentication vulnerability that allows code execution. Microsoft has additional details in a [public blog post](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>).\n\n[CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) - Microsoft Excel Security Feature Bypass Vulnerability\n\nThe vulnerability in Microsoft Excel can be exploited using a Specially Crafted File, allowing an attacker to execute code. The vulnerability affects both Windows and macOS versions; a patch for the latter has not yet been released.\n\n#### **Following were the four of the six zero-day vulnerabilities:**\n\n[CVE-2021-43208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208>) \u2013 3D Viewer Remote Code Execution Vulnerability\n\n[CVE-2021-43209](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209>) \u2013 3D Viewer Remote Code Execution Vulnerability\n\n[CVE-2021-38631](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) \u2013 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\n[CVE-2021-41371](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>) \u2013 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\n### **Adobe Patch Tuesday \u2013 October 2021**\n\nAdobe addressed 4 CVEs this [Patch Tuesday](<https://helpx.adobe.com/security.html>), and 2 of them are rated as critical severity impacting RoboHelp Server, Adobe, and Adobe Creative Cloud.\n\n### **Discover Patch Tuesday Vulnerabilities in VMDR**\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:(qid:`50116` OR qid:`50117` OR qid:`91831` OR qid:`91832` OR qid:`91833` OR qid:`91834` OR qid:`91835` OR qid:`91836` OR qid:`91837` OR qid:`110394` OR qid:`110395` OR qid:`376026`)\n\n\n\n### **Respond by Patching**\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the "Missing" patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n \n \n (qid:`50116` OR qid:`50117` OR qid:`91831` OR qid:`91832` OR qid:`91833` OR qid:`91834` OR qid:`91835` OR qid:`91836` OR qid:`91837` OR qid:`110394` OR qid:`110395` OR qid:`376026`)\n\n\n\n### **Patch Tuesday Dashboard**\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard.](<https://success.qualys.com/discussions/s/article/000006755>)\n\n#### **Webinar Series: This Month in Vulnerabilities and Patches**\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [This Month in Vulnerabilities and Patches](<https://event.on24.com/wcc/r/3509444/01AB8685B078D8E9469DE21953BD584F>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Microsoft Patch Tuesday, November 2021\n * Adobe Patch Tuesday, November 2021\n\n[Join us live or watch on demand!](<https://event.on24.com/wcc/r/3509444/01AB8685B078D8E9469DE21953BD584F>)\n\nThursday, November 11, 2021 or later on demand\n\n### **About Patch Tuesday**\n\nPatch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T01:07:53", "type": "qualysblog", "title": "Microsoft & Adobe Patch Tuesday (November 2021) \u2013 Microsoft 55 Vulnerabilities with 6 Critical, 6 Zero-Days. Adobe 4 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42279", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-11T01:07:53", "id": "QUALYSBLOG:95B6925D28299FFFDEA3BD6BA8F3E443", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-11-26T17:27:08", "description": "**Microsoft Corp.** today released updates to quash at least 55 security bugs in its **Windows** operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today -- potentially giving adversaries a head start in figuring out how to exploit them.\n\n\n\nAmong the zero-day bugs is [CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>), a "security feature bypass" problem with **Microsoft Excel versions 2013-2021** that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren't available yet).\n\nMicrosoft's revised, more sparse security advisories don't offer much detail on what exactly is being bypassed in Excel with this flaw. But **Dustin Childs **over at **Trend Micro's Zero Day Initiative** [says](<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>) the vulnerability is likely due to loading code that should be limited by a user prompt -- such as a warning about external content or scripts -- but for whatever reason that prompt does not appear, thus bypassing the security feature.\n\nThe other critical flaw patched today that's already being exploited in the wild is [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>), yet another zero-day in **Microsoft Exchange Server**. You may recall that earlier this year a majority of the world's organizations running Microsoft Exchange Servers were [hit with four zero-day attacks that let thieves install backdoors and siphon email](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>).\n\nAs Exchange zero-days go, CVE-2021-42321 appears somewhat mild by comparison. Unlike the four zero-days involved in the mass compromise of Exchange Server systems earlier this year, CVE-2021-42321 requires the attacker to be already authenticated to the target's system. Microsoft has published a blog post/FAQ about the Exchange zero-day [here](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>).\n\nTwo of the vulnerabilities that were disclosed prior to today's patches are [CVE-2021-38631](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) and [CVE-2021-41371](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>). Both involve weaknesses in Microsoft's **Remote Desktop Protocol** (RDP, Windows' built-in remote administration tool) running on Windows 7 through Windows 11 systems, and on Windows Server 2008-2019 systems. The flaws let an attacker view the RDP password for the vulnerable system.\n\n"Given the interest that cybercriminals -- especially ransomware initial access brokers -- have in RDP, it is likely that it will be exploited at some point," said **Allan Liska**, senior security architect at **Recorded Future**.\n\nLiska notes this month's patch batch also brings us [CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>), which is a Remote Code Execution vulnerability in the Windows RDP Client.\n\n"This is a serious vulnerability, labeled critical by Microsoft," Liska added. "In its Exploitability Assessment section Microsoft has labelled this vulnerability 'Exploitation More Likely.' This vulnerability affects Windows 7 - 11 and Windows Server 2008 - 2019 and should be a high priority for patching."\n\nFor most Windows home users, applying security updates is not a big deal. By default, Windows checks for available updates and is fairly persistent in asking you to install them and reboot, etc. It's a good idea to get in the habit of patching on a monthly basis, ideally within a few days of patches being released.\n\nBut please do not neglect to backup your important files -- before patching if possible. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. There are also a number of excellent third-party products that make it easy to duplicate your entire hard drive on a regular basis, so that a recent, working image of the system is always available for restore.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience any glitches or problems installing patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may offer useful tips or suggestions.\n\nFurther reading:\n\n**SANS Internet Storm Center **has a [rundown on each of the 55 patches released today](<https://isc.sans.edu/forums/diary/Microsoft+November+2021+Patch+Tuesday/28018/>), indexed by exploitability and severity, with links to each advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T20:39:07", "type": "krebs", "title": "Microsoft Patch Tuesday, November 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2021-11-09T20:39:07", "id": "KREBS:7B6AC3C7BFC3E69830DAE975AA547ADC", "href": "https://krebsonsecurity.com/2021/11/microsoft-patch-tuesday-november-2021-edition/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:08", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhrn2bWy7kjDMwA-e1FgvQFFMgrMtX-KgrErvJPqeWzafsVSb1_k78GC6nholdd_d2DbzcYuqf98udpn_wTk-_6KFu5RQPIErnTKIVlDcjYP53gT98kJt8q8r27D7qssyXxYP4p6fp_cLi19zCXc74h2z5whc0gh3HlD5MkZY7amV1fGnZgsthUv_op>)\n\nMicrosoft has released security updates as part of its monthly [Patch Tuesday](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov>) release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system.\n\nOf the 55 glitches, six are rated Critical and 49 are rated as Important in severity, with four others listed as publicly known at the time of release. \n\nThe most critical of the flaws are [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>) (CVSS score: 8.8) and [CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) (CVSS score: 7.8), each concerning a [post-authentication remote code execution flaw](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>) in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively.\n\nThe Exchange Server issue is also one of the bugs that was demonstrated at the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) held in China last month. However, the Redmond-based tech giant did not provide any details on how the two aforementioned vulnerabilities were used in real-world attacks.\n\n\"Earlier this year, Microsoft alerted that APT Group HAFNIUM was exploiting [four zero-day vulnerabilities](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) in the Microsoft Exchange server,\" said Bharat Jogi, director of vulnerability and threat research at Qualys.\n\n\"This evolved into exploits of Exchange server vulnerabilities by DearCry Ransomware \u2014 including attacks on infectious disease researchers, law firms, universities, defense contractors, policy think tanks and NGOs. Instances such as these further underscore that Microsoft Exchange servers are high-value targets for hackers looking to penetrate critical networks,\" Jogi added.\n\nAlso addressed are four publicly disclosed, but not exploited, vulnerabilities \u2014\n\n * [**CVE-2021-43208**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability\n * [**CVE-2021-43209**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability\n * [**CVE-2021-38631**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n * [**CVE-2021-41371**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\nMicrosoft's November patch also comes with a resolution for [CVE-2021-3711](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711>), a critical buffer overflow flaw in [OpenSSL's SM2 decryption function](<https://thehackernews.com/2021/09/qnap-working-on-patches-for-openssl.html>) that came to light in late August 2021 and could be abused by adversaries to run arbitrary code and cause a denial-of-service (DoS) condition.\n\nOther important remediations include fixes for multiple remote code execution flaws in Chakra Scripting Engine ([CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>)), Microsoft Defender ([CVE-2021-42298](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>)), Microsoft Virtual Machine Bus ([CVE-2021-26443](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26443>)), Remote Desktop Client ([CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>)), and on-premises versions of Microsoft Dynamics 365 ([CVE-2021-42316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316>)).\n\nLastly, the update is rounded by patches for a number of privilege escalation vulnerabilities affecting NTFS ([CVE-2021-41367](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41367>), [CVE-2021-41370](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41370>), [CVE-2021-42283](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42283>)), Windows Kernel ([CVE-2021-42285](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42285>)), Visual Studio Code ([CVE-2021-42322](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42322>)), Windows Desktop Bridge ([CVE-2021-36957](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36957>)), and Windows Fast FAT File System Driver ([CVE-2021-41377](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41377>))\n\nTo [install](<https://support.microsoft.com/en-us/windows/get-the-latest-windows-update-7d20e88c-0568-483a-37bc-c3885390d212#WindowsVersion=Windows_11>) the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nIn addition to Microsoft, security updates have also been released by a number of other vendors to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://thehackernews.com/2021/11/google-warns-of-new-android-0-day.html>)\n * [Cisco](<https://thehackernews.com/2021/11/hardcoded-ssh-key-in-cisco-policy-suite.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-November/thread.html>)\n * [Samba](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/samba-releases-security-updates>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T06:24:00", "type": "thn", "title": "Microsoft Issues Patches for Actively Exploited Excel, Exchange Server 0-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-42322", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-10T06:24:06", "id": "THN:554E88E6A1CE9AFD04BF297E68311306", "href": "https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-03T06:08:48", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhjgLAUPNyzVr4nyTnHcmuy129TWCPLQvO5SHVIX4c_Jt4qw70IRh8CRko0kG87W2QyP5ylFgl88hMhztuShd-m3X_TLLdUsgJz-Q22s4R-xP_7HyVYrZCRob8ZYIrhJ5UBhnI-Lv1tmJN_CDf0V9VtZq027EQy6VDLe8pTXTe8AsJi5fyMnpDd7c00/s728-e100/spyware.png>)\n\nA Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.\n\n\"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device,\" Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens [said](<https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston/>) in a write-up.\n\nVariston, which has a [bare-bones website](<https://variston.net/>), claims to \"offer tailor made Information Security Solutions to our customers,\" \"design custom security patches for any kind of proprietary system,\" and support the \"the discovery of digital information by [law enforcement agencies],\" among other services.\n\nThe vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed to have been utilized as zero-days to help customers install malware of their choice on the targeted systems.\n\nHeliconia comprises a trio of components, namely Noise, Soft, and Files, each of which are responsible for deploying exploits against bugs in Chrome, Windows, and Firefox, respectively.\n\nNoise is designed to take advantage of a [security flaw](<https://bugs.chromium.org/p/chromium/issues/detail?id=1228036>) in the Chrome V8 JavaScript engine that was patched in August 2021 as well as an unknown sandbox escape method called \"chrome-sbx-gen\" to enable the final payload (aka \"agent\") to be installed on targeted devices.\n\nHowever, the attack banks on the prerequisite that the victim accesses a booby-trapped webpage to trigger the first-stage exploit.\n\nHeliconia Noise can be additionally configured by the purchaser using a JSON file to set different parameters like the maximum number of times to serve the exploits, an expiration date for the servers, redirect URLs for non-target visitors, and rules specifying when a visitor should be considered a valid target.\n\nSoft is a web framework that's engineered to deliver a decoy PDF document featuring an exploit for [CVE-2021-42298](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>), a remote code execution flaw impacting Microsoft Defender that was fixed by Redmond in November 2021. The infection chain, in this case, entails the user visiting a malicious URL, which then serves the weaponized PDF file.\n\nThe Files package \u2013 the third framework \u2013 contains a Firefox exploit chain for Windows and Linux that leverages a use-after-free flaw in the browser that was reported in March 2022 ([CVE-2022-26485](<https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html>)). However, it's suspected that the bug was likely abused since at least 2019.\n\nGoogle TAG said it became aware of the Heliconia attack framework after receiving an anonymous submission to its Chrome bug reporting program. It further noted that there's no current evidence of exploitation, either indicating the toolset has been put to rest or evolved further.\n\nThe development arrives more than five months after the tech giant's cybersecurity division devoted to tracking government-backed hacking and attacks linked a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, [RCS Lab](<https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html>).\n\n\"The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-01T14:32:00", "type": "thn", "title": "Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, & Windows Zero-Days", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298", "CVE-2022-26485"], "modified": "2022-12-03T04:17:41", "id": "THN:650C5B1E9D940F9BE6D2840CBD9D068A", "href": "https://thehackernews.com/2022/12/google-accuses-spanish-spyware-vendor.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-26T12:10:08", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgu9YKd02vdFX9q7nH_mj_COAplqIClED8G3-bIqGZfD9uEAVx2YkW4pnR4oTHEKnrj9qtpM11W6mYLnGXvGxEt9IFdVd2PCh0jnop8BOe_IT_acIv-VKs3Q-JjeXkZPvJplINEolBZljwID-Ev26al_uOtbkyFHFd7atp9dyswl66CcZIVuWykjyr6wg/s728-rj-e365/cyber.png>)\n\nAn exhaustive analysis of **FIN7** has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.\n\nIt has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware [DarkSide](<https://thehackernews.com/2022/05/us-proposes-1-million-fine-on-colonial.html>), [REvil](<https://thehackernews.com/2022/05/new-revil-samples-indicate-ransomware.html>), and [LockBit](<https://thehackernews.com/2022/11/amadey-bot-spotted-deploying-lockbit-30.html>) families.\n\nThe highly active threat group, also known as Carbanak, is [known](<https://thehackernews.com/2022/04/fin7-hackers-leveraging-password-reuse.html>) for employing an extensive arsenal of tools and tactics to expand its \"cybercrime horizons,\" including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing.\n\nMore than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K.\n\nFIN7's intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise, and the use of stolen credentials purchased from underground markets.\n\n\"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access,\" PRODAFT [said](<https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang>) in a report shared with The Hacker News.\n\nAccording to the Swiss cybersecurity company, the Russian-speaking hacking crew has also been observed to weaponize several flaws in Microsoft Exchange such as [CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>), [CVE-2021-42321](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>), [ProxyLogon, and ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) to obtain a foothold into target environments.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhXWJSj-lP5zgkimydTc-CwuBckZJpMoZ8KlEOqjTK1s14n8Ry6x7NcJHE6iuaC2p2llH7aphAnF9AGSkY-IMY3ofTAKq1rATS5XB5z-Fnxh6v2Lr3_wmyfCwBsAALRjmoyzwRDHWnMfGyS3UC_ftVWp1CnJeC09vF4HmeUbM2J0Y7BwIeouLTThKTe/s728-rj-e365/fin7.png>)\n\nThe use of [double extortion tactics](<https://thehackernews.com/2022/12/cuba-ransomware-extorted-over-60.html>) notwithstanding, attacks mounted by the group have deployed SSH backdoors on the compromised systems, even in scenarios where the victim has already paid a ransom.\n\nThe idea is to resell access to other ransomware outfits and re-target the victims as part of its illicit money-making scheme, underscoring its attempts to minimize efforts and maximize profits, not to mention prioritize companies based on their annual revenues, founded dates, and the number of employees.\n\nThis \"demonstrates a particular type of feasibility study considered a unique behavior among cybercrime groups,\" the researchers said.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1L6lSPfanTW7NwX9INlkaghoZj0MyjyyCHu7VJ2WOAB0-a8ipVazPaPiLkSPVkIBBeBrgcnwVzrKGh7hIH0N52sNHSgp7Vbg9K4Rqm_6NIALFtTqkkLtv6AkE8lDtTL7ZEb5WVXABPi3XMY0clFfTSBtJq_7t66O_imTe8dVlT7-vL0MHcB3e1LBL/s728-rj-e365/data.png>)\n\nPut differently, the modus operandi of FIN7 boils down to this: It utilizes services like Crunchbase, Dun & Bradstreet (DNB), Owler, and Zoominfo to shortlist firms and organizations with the highest revenue. It also uses other website analytics platforms like MuStat and Similarweb to monitor traffic to the victims' sites.\n\nInitial access is then obtained through one of the many intrusion vectors, followed by exfiltrating data, encrypting files, and eventually determining the ransom amount based on the company's revenue.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhQwT6VXETxCd7gYcc7Yd03MnZ7nA_L948mXUJkAgn4SOwbIKEi30eZGf2YXgDN1QA6ak7etSe1368r_b5rgcDyV09jIQcKz5GDMmpp_UKs4886x6Kuq9llZuCFuz8reUq22aBAZ38FrxOOFeTSJLmECsaMukFx9rTLqxuCz3Zl5ijc2Cr1ucglgif1/s728-rj-e365/map.png>)\n\nThese infection sequences are also designed to load remote access trojans such as [Carbanak](<https://thehackernews.com/2021/06/fin7-supervisor-gets-7-year-jail-term.html>), [Lizar](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>) (aka Tirion), and [IceBot](<https://www.recordedfuture.com/fin7-flash-drives-spread-remote-access-trojan>), the latter of which was first documented by Recorded Future-owned Gemini Advisory in January 2022.\n\nOther tools developed and delivered by FIN7 encompass a module dubbed Checkmarks that's orchestrated to automate mass scans for vulnerable Microsoft Exchange servers and other public-facing web applications as well as [Cobalt Strike](<https://thehackernews.com/2022/11/google-identifies-34-cracked-versions.html>) for post-exploitation.\n\nIn yet another indication that criminal groups [function like traditional companies](<https://thehackernews.com/2022/04/researchers-share-in-depth-analysis-of.html>), FIN7 follows a team structure consisting of top-level management, developers, pentesters, affiliates, and marketing teams, each of whom are tasked with individual responsibilities.\n\nWhile two members named Alex and Rash are the chief players behind the operation, a third managerial member named Sergey-Oleg is responsible for delegating duties to the group's other associates and overseeing their execution.\n\nHowever, an examination of the group's Jabber conversation history has revealed that operators in administrator positions engage in coercion and blackmail to intimidate team members into working more and issue ultimatums to \"hurt their family members in case of resigning or escaping from responsibilities.\"\n\nThe findings come more than a month after cybersecurity company SentinelOne [identified](<https://thehackernews.com/2022/11/researchers-find-links-bw-black-basta.html>) potential links between FIN7 and the Black Basta ransomware operation.\n\n\"FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies,\" PRODAFT concluded. \"Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets.\"\n\n\"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-22T13:13:00", "type": "thn", "title": "FIN7 Cybercrime Syndicate Emerges as a Major Player in Ransomware Landscape", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2021-42321"], "modified": "2022-12-26T11:59:04", "id": "THN:CE51F3F4A94EFC268FD06200BF55BECD", "href": "https://thehackernews.com/2022/12/fin7-cybercrime-syndicate-emerges-as.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:21", "description": "[](<https://thehackernews.com/images/-kVQtXWjknPI/YS8ndFPpyLI/AAAAAAAADr0/n4Ce_BIgXtM4o6Ld8sjgLAiJNb36z03JQCLcBGAsYHQ/s0/eCh0raix-Ransomware-nas-devices.jpg>)\n\nNetwork-attached storage (NAS) appliance maker QNAP said it's [currently](<https://www.qnap.com/en/security-advisory/qsa-21-39>) [investigating](<https://www.qnap.com/en/security-advisory/qsa-21-40>) two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable.\n\nTracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), the [weaknesses](<https://www.openwall.com/lists/oss-security/2021/08/26/2>) concern a high-severity buffer overflow in SM2 decryption function and a buffer overrun issue when processing ASN.1 strings that could be abused by adversaries to run arbitrary code, cause a denial-of-service condition, or result in disclosure of private memory contents, such as private keys, or sensitive plaintext \u2014\n\n * [CVE-2021-3711](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711>) \\- OpenSSL SM2 decryption buffer overflow\n * [CVE-2021-3712](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712>) \\- Read buffer overruns processing ASN.1 strings\n\n\"A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash,\" according to the advisory for CVE-2021-3711.\n\nOpenSSL, a widely used open-source cryptographic library that provides encrypted connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), [addressed the issues](<https://www.openssl.org/news/vulnerabilities.html>) in versions OpenSSL 1.1.1l and 1.0.2za that were shipped on August 24.\n\nIn the meanwhile, NetApp on Tuesday [confirmed](<https://security.netapp.com/advisory/ntap-20210827-0010/>) that the flaws affect a number of its products, while it continues to assess the rest of its lineup \u2014\n\n * Clustered Data ONTAP\n * Clustered Data ONTAP Antivirus Connector\n * E-Series SANtricity OS Controller Software 11.x\n * NetApp Manageability SDK\n * NetApp SANtricity SMI-S Provider\n * NetApp SolidFire & HCI Management Node\n * NetApp Storage Encryption\n\nThe development follows days after NAS maker Synology also disclosed that it's opened an investigation into a number of models, comprising DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server, to check if they are affected by the same two flaws.\n\n\"Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack[s] or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server,\" the Taiwanese company [said](<https://www.synology.com/en-us/security/advisory/Synology_SA_21_24>) in an advisory.\n\nOther companies whose products rely on OpenSSL have also released security bulletins, including \u2014\n\n * [Debian](<https://www.debian.org/security/2021/dsa-4963>)\n * Red Hat ([CVE-2021-3711](<https://access.redhat.com/security/cve/cve-2021-3711>), [CVE-2021-3712](<https://access.redhat.com/security/cve/cve-2021-3712>))\n * SUSE ([CVE-2021-3711](<https://www.suse.com/security/cve/CVE-2021-3711.html>), [CVE-2021-3712](<https://www.suse.com/security/cve/CVE-2021-3712.html>)), and \n * Ubuntu ([CVE-2021-3711](<https://ubuntu.com/security/CVE-2021-3711>), [CVE-2021-3712](<https://ubuntu.com/security/CVE-2021-3712>)).\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:11:00", "type": "thn", "title": "QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-09-02T11:56:34", "id": "THN:3AB82AD3C4EB492FE308B1276534EBD7", "href": "https://thehackernews.com/2021/09/qnap-working-on-patches-for-openssl.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-14T04:09:19", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjTxKfxj2a6lMbDbJaMo5tht_LOymmcrKcCWFtR24mQo74TUahCanF09uTukayi4zQWtyXbBN6gL1r8Q_F8hPVGvbFPUvpNfu0RMdh_in3x47i7NaY_2APPaDC8WmxtnyovksaoophnnKee-_hL8d3KTmywDQksxEixb5Qu7Hqf3_NL3lzttzW4eVJp/s728-e100/ms.jpg>)\n\nMicrosoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.\n\nThe tech giant, in its 114-page [Digital Defense Report](<https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022>), said it has \"observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,\" making it imperative that organizations patch such exploits in a timely manner.\n\nThis also corroborates with an April 2022 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which [found](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) that bad actors are \"aggressively\" targeting newly disclosed software bugs against broad targets globally.\n\nMicrosoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.\n\nIt further accused Chinese state-sponsored groups of being \"particularly proficient\" at discovering and developing zero-day exploits.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj2Fv84B8E1NDduixEzAgNyU-RvvdpVt2eY23UON-dCns8KnaaAn-rqjv_Tihoscf0lzJzcswmhacAZgW8Jdh82sqVfWIDHVa5zBDWPlh_uT7dLVU8BmoLqbWxqL-deV3Ok2yZ8h76dqXIbZ3SIOJJND7p6ixLGZmV_q9RpnvhYkQ9ABNMKZOdjtetP/s728-e100/exploit.jpg>)\n\nThis has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new [vulnerability reporting regulation](<https://thehackernews.com/2021/07/chinas-new-law-requires-researchers-to.html>) in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.\n\nRedmond further said the law could enable government-backed elements to stockpile and weaponize the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjzThAws7Nwe2onkDTrV1eAUZuHoxUQmHQD89fb1AMyF95hzxM_bjDK2t9-CUBtPHmaWAaGh6oLRZRmlWELsneZ9fLS1yThyXWXTF3Vhb67iMNcw8AvGM2hLy535BKjYA6NJ8csrauUfJWp6VGl-g4LRpHIAsWQ1E7ev0MDFndlR4i_R0-xqgivOOTY/s728-e100/map.jpg>)\n\nSome of the vulnerabilities that were first exploited by Chinese actors before being picked up by other adversarial groups include -\n\n * [**CVE-2021-35211**](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>) (CVSS score: 10.0) - A remote code execution flaw in SolarWinds Serv-U Managed File Transfer Server and Serv-U Secure FTP software that was exploited by DEV-0322.\n * [**CVE-2021-40539**](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) (CVSS score: 9.8) - An authentication bypass flaw in Zoho ManageEngine ADSelfService Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-44077**](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) - An unauthenticated remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-42321**](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>) (CVSS score: 8.8) - A remote code execution flaw in Microsoft Exchange Server that was exploited three days after it was revealed during the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) hacking contest on October 16-17, 2021.\n * [**CVE-2022-26134**](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) (CVSS score: 9.8) - An Object-Graph Navigation Language (OGNL) injection flaw in Atlassian Confluence that's likely to have been leveraged by a China-affiliated actor against an unnamed U.S. entity days before the flaw's disclosure on June 2.\n\nThe findings also come almost a month after CISA released a list of [top vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-279a>) weaponized by China-based actors since 2020 to steal intellectual property and develop access into sensitive networks.\n\n\"Zero-day vulnerabilities are a particularly effective means for initial exploitation and, once publicly exposed, vulnerabilities can be rapidly reused by other nation-state and criminal actors,\" the company said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-05T06:00:00", "type": "thn", "title": "Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539", "CVE-2021-42321", "CVE-2021-44077", "CVE-2022-26134"], "modified": "2022-12-14T04:04:34", "id": "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "href": "https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-11-10T20:20:08", "description": "[Microsoft reported](<https://msrc.microsoft.com/update-guide/vulnerability>) a total of 55 vulnerabilities, six of which are rated critical, with the remaining 49 being rated important. The flaws are found in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.\n\nAll in all, it\u2019s a pretty light month, according to the Zero Day Initiative\u2019s (ZDI\u2019s) Dustin Childs. \u201cHistorically speaking, 55 patches in November is a relatively low number,\u201d he commentd. \u201cEven going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs.\u201d\n\nStill, as always, this Patch Tuesday delivers high-priority fixes, the most urgent of which being the duo that are under attack.\n\n## High-Priority, Actively Exploited Pair of Bugs\n\n[**CVE-2021-42321**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>)**: Microsoft Exchange Server Remote Code Execution Vulnerability.**\n\nThis is a critical remote code execution (RCE) weakness in Exchange Server caused by issues with the validation of command-let (cmdlet) arguments \u2013 i.e., lightweight commands used in the PowerShell environment. They\u2019re invoked by PowerShell runtime within the context of automation scripts that are provided at the command line or invoked programmatically by the PowerShell runtime through APIs. Microsoft said that the vulnerability, rated 8.8 in criticality, has low attack complexity.\n\nIn order to exploit this flaw, an attacker would need to be authenticated, which limits some of the impact, as noted by Satnam Narang, staff research engineer at Tenable. Microsoft says they are aware of \u201climited targeted attacks\u201d using this vulnerability in the wild.\n\nMicrosoft has a[ blog post describing the vulnerabilit](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>)y and how it\u2019s exploited.\n\nMicrosoft Exchange Server has been the subject of several notable vulnerabilities throughout 2021, including [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) and associated vulnerabilities as well as [ProxyShell](<https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/>), Narang pointed out.\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nClick to register for our LIVE event!\n\n\u201cThough unconfirmed, this may be similar to an Exchange Server vulnerability that was discovered at the [Tianfu Cup](<https://borncity.com/win/2021/10/17/tifanu-cup-2021-exchange-2019-und-iphone-gehackt/>) hacking competition last month,\u201d Narang suggested.\n\nKevin Breen, director of cyber threat research at Immersive Labs, told Threatpost on Tuesday that federal or government bodies in the United States may be bound by the recent [CISA directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) that puts an emphasis on faster patching of exploits that are actively being used by attackers. \u201cThis vulnerability \u2013 along with CVE-2021-42292 \u2013 would likely fall into that category,\u201d he noted in an email on Tuesday.\n\nIn spite of playing a starring role at the Tianfu Cup, this flaw was actually discovered by the Microsoft Threat Intelligence Center (MSTIC). Microsoft said that it\u2019s been actively used in attacks.\n\n[**CVE-2021-42292**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>)**: Microsoft Excel Security Feature Bypass Vulnerability.**\n\nThis patch fixes a security feature bypass vulnerability \u200b\u200bin Microsoft Excel for both Windows and MacOS computers that could allow code execution when opening a specially crafted file. It too was discovered by MSTIC, which said that it\u2019s also been exploited in the wild as a zero day.\n\nAccording to Trend Micro\u2019s Zero Day Initiative (ZDI) [November Security Update](<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>), \u201cThis is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature.\u201d\n\nMicrosoft doesn\u2019t suggest what effect the vulnerability might have, but its CVSS score of 7.8 gives it a severity rating of high. Immersive Labs\u2019 Breen said that the lack of detail \u201ccan make it hard to prioritize, but anything that is being exploited in the wild should be at the very top of your list to patch.\u201d\n\nMicrosoft said that the Outlook Preview Pane isn\u2019t an attack vector for this weakness, so a target would need to open the file in order for exploitation to occur.\n\nUpdates are available for Windows systems, but updates for Office for Mac aren\u2019t out yet.\n\nBreen suggested that given the lack of description and a lack of updates for a vulnerability being exploited in the wild, \u201cit may be worth telling anyone in your organization using Office for Mac to be more cautious until patches are made available.\u201d\n\n## Other Bugs of Note\n\n[**CVE-2021-42298**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>)**: Microsoft Defender Remote Code Execution Vulnerability.**\n\nDefender is designed to scan every file and run with some of the highest levels or privileges in the operating system. This means an attacker could trigger the exploit by simply sending a file \u2013 the victim wouldn\u2019t even need to open or run anything, explained Kevin Breen, director of cyber threat research at Immersive Labs.\n\nBreen told Threatpost on Tuesday that this is the reason that CVE-2021-42298 is marked as \u201cexploitation more likely.\u201d\n\n\u201cAs it\u2019s not being exploited in the wild, it should get updated without any manual intervention from administrators,\u201d he said via email. \u201cThat being said, it\u2019s definitely worth checking to make sure your Defender installations are getting their updates set correctly.\u201d\n\nMicrosoft\u2019s advisory includes steps to verify that users have the latest versions installed.\n\n[**CVE-2021-38666**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>)**: Remote Desktop Client Remote Code Execution Vulnerability.**\n\nMicrosoft said that in the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger an RCE on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.\n\nThat\u2019s not the clearest description, Breen noted, but the attack vector suggests that the remote desktop client installed on all supported versions of Windows contains a vulnerability.\n\n\u201cTo exploit it, an attacker would have to create their own server and convince a user to connect to the attacker,\u201d Breen explained. \u201cThere are several ways an attacker could do this, one of which could be to send the target an RDP shortcut file, either via email or a download. If the target opens this file, which in itself is not malicious, they could be giving the attacker access to their system.\u201d\n\nBreen said in an email that in addition to patching this flaw, a sensible step would be to add detections for RDP files being shared in emails or downloads.\n\n[**CVE-2021-38631**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>)** & **[**CVE-2021-41371**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>)**: Information Disclosure Vulnerabilities in Microsoft Remote Desktop Protocol (RDP).**\n\nThese flaws were previously publicly disclosed by security researchers. Successful exploitation of would allow an attacker to see RDP passwords for the vulnerable system.\n\nThe issue affects RDP running on Windows 7 \u2013 11 and Windows Server 2008 \u2013 2019. They\u2019re rated \u201cImportant\u201d by Microsoft. Given the interest that cybercriminals (especially ransomware initial access brokers) have in RDP, \u201cit is likely that it will be exploited at some point,\u201d said Allan Liska, senior security architect at Recorded Future.\n\n## Continuous Exchange Vulnerabilities\n\nExchange vulnerabilities have been of particular concern this year, Liska noted, pointing to both Chinese nation state actors and the cybercriminals behind the [DearCry](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) ransomware (also believed to be operating out of China) as having exploited earlier vulnerabilities in Microsoft Exchange ([CVE-2021-26855 and CVE-2021-27065](<https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/>)).\n\n\u201cWhile Microsoft only rates the vulnerability as \u2018Important\u2019 because an attacker has to be authenticated to exploit it, Recorded Future has noted that gaining legitimate credential access to Windows systems has become trivial for both nation state and cybercriminal actors,\u201d Liska said via email. Hence, he recommended prioritizing this flaw for patching.\n\n## Prioritize CVE-2021-42292, Too\n\nMicrosoft wasn\u2019t clear about which security feature is bypassed by this security feature bypass vulnerability for Microsoft Excel for both Windows and MacOS computers, which affects versions 2013 \u2013 2021. But the fact that it\u2019s being exploited in the wild \u201cis concerning,\u201d Liska said and \u201cmeans it should be prioritized for patching.\u201d\n\nMicrosoft Excel is a frequent target of both [nation-state attackers](<https://threatpost.com/spear-phishing-attack-lures-victims-with-hiv-results/153536/>) and cybercriminals, he noted.\n\n110921 17:21 UPDATE: Corrected misattribution of input from Kevin Breen.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com._**](<mailto:becky.bracken@threatpost.com>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T21:41:49", "type": "threatpost", "title": "Microsoft Nov. Patch Tuesday Fixes Six Zero-Days, 55 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42321"], "modified": "2021-11-09T21:41:49", "id": "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "href": "https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-31T20:45:04", "description": "On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices.\n\nThe vulnerabilities are tracked as [CVE-2021-3711](<https://www.qnap.com/en-us/security-advisory/QSA-21-39>) \u2013 a high-severity buffer overflow related to SM2 decryption\u2013 and [CVE-2021-3712](<https://www.qnap.com/en-us/security-advisory/QSA-21-40>), a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents.\n\nThese OpenSSL flaws are spreading ripples far and wide. \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThat\u2019s because [OpenSSL](<https://en.wikipedia.org/wiki/OpenSSL>) is mostly used by network software \u2013 including being widely used by Internet servers and the majority of HTTPS websites \u2013 that use the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.\n\nTLS has replaced SSL, which contained what Sophos\u2019s Paul Ducklin called a \u201chuge\u201d number of cryptographic flaws. But many popular open-source programming libraries that support it \u2013 including OpenSSL, LibreSSL and BoringSSL, \u201chave kept old-school product names for the sake of familiarity,\u201d Ducklin commented in a recent [drilldown](<https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/>) into the OpenSSL bugs.\n\nQNAP on Monday joined a parade of organizations whose products rely on OpenSSL and which are either investigating the flaws (in QNAP\u2019s case) or have already released security advisories, including Linux distributions such as [Red Hat](<https://access.redhat.com/security/cve/cve-2021-3711>) (not affected), [Ubuntu](<https://ubuntu.com/security/CVE-2021-3711>), [SUSE](<https://www.suse.com/security/cve/CVE-2021-3711.html>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2021-3711>) and[ Alpine Linux](<https://www.alpinelinux.org/posts/Alpine-3.14.2-released.html>).\n\n## QNAP Hammers Out Fixes\n\nQNAP said that it\u2019s \u201cthoroughly investigating the case\u201d and that it plans to release security updates and more information ASAP.\n\nSame goes for NAS appliance maker [Synology](<https://www.synology.com/en-global/security/advisory/Synology_SA_21_24>), which told its customers that the OpenSSL vulnerabilities affect its Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server and VPN Server products. On Thursday, Synology assigned \u201cimportant\u201d and \u201cmoderate\u201d severity ratings to the vulnerabilities and said that it\u2019s working on patches.\n\nYet another storage solutions provider, [NetApp](<https://security.netapp.com/advisory/ntap-20210827-0010/>), is now trying to figure out which of its products may be affected. So far, it\u2019s confirmed that Clustered Data ONTAP, E-Series SANtricity OS controller software, the NetApp Manageability SDK, NetApp SANtricity SMI-S Provider, and NetApp Storage Encryption are affected, and it\u2019s investigating dozens more of its products.\n\n[Cisco](<https://tools.cisco.com/security/center/publicationListing.x>) and [Broadcom](<https://support.broadcom.com/security-advisory/security-advisories-list.html?segment=SE>) are also expected to release advisories describing how the latest OpenSSL vulnerabilities will affect their products.\n\n## QNAP\u2019s Advisories\n\nIt turns out that the OpenSSL vulnerabilities affect QNAP NAS devices running the [HBS 3 Hybrid Backup Sync](<https://www.qnap.com/en/how-to/tutorial/article/hybrid-backup-sync>) data backup and disaster recovery tool, the [QTS](<https://www.qnap.com/en-us/qts4/con_show.php?op=showone&cid=1>) GUI, the [QuTS hero](<https://www.qnap.com/quts-hero/en-us/>) operating system, and [QuTScloud](<https://www.qnap.com/solution/qutscloud-overview/en-us/#:~:text=QuTScloud%20is%20the%20operating%20system,at%20a%20predictable%20monthly%20cost.>), which is an operating system for QNAP Cloud NAS virtual appliances.\n\nAccording to Sophos\u2019s Ducklin, the flaws could allow an attacker to trick an application \u201cinto thinking that something succeeded (or failed) when it didn\u2019t, or even to take over the flow of program execution entirely.\n\nIf successfully exploited, the flaws could allow remote attackers to execute arbitrary code with the permissions of the user running the application, QNAP said, which gives CVE-2021-3711 a high severity rating. CVE-2021-3712 allows remote attackers to disclose memory data or execute a DoS attack, making it a medium-security flaw.\n\nMITRE has the technical details here for [CVE-2021-3712](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712>) and [CVE-2021-3711](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711>).\n\nCVE-2021-3711 is a [heap-based buffer overflow](<https://cwe.mitre.org/data/definitions/122.html#:~:text=Description,routine%20such%20as%20malloc\\(\\).>). These bugs generally lead to crashes but can also translate into lack of availability, including putting the program into an infinite loop. Such vulnerabilities can also allow attackers to carry out RCE, bypass protection, or to modify memory.\n\nAccording to MITRE, the CVE-2021-3711 bug in OpenSSL allows an attacker who can present SM2 content \u2013 SM2 being a public key cryptographic algorithm based on elliptic curves that\u2019s used to generate and verify digital signatures for decryption \u2013 to send data that overflows the buffer by up to a maximum of 62 bytes, \u201caltering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash.\u201d\n\nAs Sophos\u2019s Ducklin explained when writing about this decryption bug, OpenSSL includes implementations of the SM algorithms: It uses SM2 for key agreement and digital signatures, SM3 for hashing, and SM4 for block encryption. On the plus side, Sophos researchers don\u2019t think that crooks are going to be able to exploit this bug, given that \u201cofficial TLS support for ShangMi was only introduced in [RFC 8998](<https://datatracker.ietf.org/doc/html/rfc8998>), dated March 2021, so it\u2019s a newcomer to the world\u2019s cryptographic stable.\u201d\n\nAs Ducklin wrote, OpenSSL does include implementations of SM2, SM3 and SM4, \u201cit doesn\u2019t yet include the code needed to allow you to choose these algorithms as a ciphersuite for use in TLS connections.\u201d\n\n> \u201cYou can\u2019t ask your TLS client code to request a ShangMi connection to someone else\u2019s server, as far as we can see; and you can\u2019t get your TLS server code to accept a ShangMi connection from someone else\u2019s client.\n> \n> \u201cSo the bug is in there, down in the low-level OpenSSL libcrypto code, but if you use OpenSSL at the TLS level to make or accept secure connections, we don\u2019t think you can open up a session in which the buggy code could be triggered.\n> \n> \u201cIn our opinion, that greatly reduces the likelihood of criminals abusing this flaw to implant malware on your laptop, for example by luring you to a booby-trapped website and presenting you with a rogue certificate during connection setup.\u201d \u2014Sophos\u2019s Paul Ducklin\n\n## Technical Details\n\nThe CVE-2021-3712 flaw is caused by a [read buffer overrun](<https://cwe.mitre.org/data/definitions/119.html>) weakness while processing ASN.1 strings. [MITRE explains](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712>) that [ASN.1](<https://www.ncbi.nlm.nih.gov/Structure/asn1.html#:~:text=1%20file%20format-,ASN.,to%20achieve%20interoperability%20between%20platforms.&text=It%20permits%20computers%20and%20software,the%20data%20structure%20and%20content.>) strings are represented internally within OpenSSL as an ASN1_STRING structure that contains a buffer holding the string data and a field holding the buffer length, as opposed to normal C strings that are represented as a buffer for the string data, which is terminated with a NUL (0) byte. \u201cIf a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit,\u201d according to MITRE. That could lead to a crash, causing DoS or could also lead to disclosure of private memory contents, such as private keys or even sensitive content in plaintext.\n\nBoth of the OpenSSL bugs were [fixed](<https://www.openssl.org/news/vulnerabilities.html>) in OpenSSL 1.1.1l on Tuesday of last week.\n\n## Fix Them If You Can\n\nSophos\u2019s Ducklin recommended upgrading to OpenSSL 1.1.1l if possible. \u201cAlthough most software on Windows, Mac, iOS and Android will not be using OpenSSL, because those platforms have their own alternative TLS implementations, some software may include an OpenSSL build of its own and will need updating independently,\u201d he noted. \u201cIf in doubt, consult your vendor. Most Linux distros will have a system-wide version of OpenSSL, so check with your distro for an update. (Note: Firefox doesn\u2019t use OpenSSL on any platforms.)\u201d\n\nThere\u2019s no shortage of reasons to heed his advice, given that criminal gangs already have NAS devices in their crosshairs. In a [report](<https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/>) published a few weeks ago, Palo Alto Network Unit 42 researchers said that they\u2019d discovered a new variant of the eCh0raix ransomware string that exploited a critical bug, [CVE-2021-28799](<https://nvd.nist.gov/vuln/detail/CVE-2021-28799>) \u2013 an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account \u2013 in the Hybrid Backup Sync (HBS 3) software on QNAP\u2019s NAS devices.\n\nThe nearly year-old eCh0raix ransomware strain has been used to target both QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns, but the new variant is more efficient: It can target either vendors\u2019 devices [in a single campaign](<https://threatpost.com/ech0raix-ransomware-variant-qnap-synology-nas-devices/168516/>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T15:08:46", "type": "threatpost", "title": "QNAP Is Latest to Get Dinged by OpenSSL Bugs Fallout", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28799", "CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-08-31T15:08:46", "id": "THREATPOST:703466E6007D5E2783255F53CBE5B433", "href": "https://threatpost.com/qnap-openssl-bugs/169054/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-31T14:18:59", "description": "Customers of Taiwan-based [QNAP Systems](<https://www.qnap.com/pt-pt>) are in a bit of limbo, waiting until the company releases a patch for an OpenSSL bug that the company has [warned](<https://www.qnap.com/en/security-advisory/QSA-22-06>) affects most of its network-attached storage (NAS) devices. The vulnerability can trigger an infinite loop that creates a denial-of-service (DoS) scenario.\n\nThough the bug \u2013 tracked as [CVE-2022-0778](<https://nvd.nist.gov/vuln/detail/CVE-2022-0778>) and rated 7.5 (high severity) on the CVSS severity-rating scale \u2013 [has been patched](<https://www.openssl.org/news/secadv/20220315.txt>) by OpenSSL, QNAP hasn\u2019t gotten around to applying a fix yet for its NAS devices affected by the vulnerability. The company is telling customers that \u201cthere is no mitigation available\u201d and they \u201cmust check back and install security updates as soon as they become available.\u201d\n\n\u201cQNAP is thoroughly investigating the case,\u201d the company said. \u201cWe will release security updates and provide further information as soon as possible.\u201d\n\nThe vulnerability is in OpenSSL\u2019s BN_mod_sqrt() function, which computes a modular square root. The bug can be triggered by crafting a certificate that has invalid explicit curve parameters, causing the function to loop forever, according to [its listing](<https://nvd.nist.gov/vuln/detail/CVE-2022-0778>) in the NIST National Vulnerability Database. This creates DoS conditions on the device, according to OpenSSL. OpenSSL is a popular cryptography library primarily used by networking software that offers open-source application of the TLS protocol.\n\n\u201cSince certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,\u201d according to the listing. \u201cThe infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.\u201d\n\nVulnerable scenarios on devices using OpenSSL include:\n\n * TLS clients consuming server certificates,\n * TLS servers consuming client certificates,\n * Hosting providers taking certificates or private keys from customers,\n * Certificate authorities parsing certification requests from subscribers, or\n * Anything else that parses ASN.1 elliptic curve parameters.\n\nQNAP devices affected by the bug are:\n\n * QTS 5.0.x and later\n * QTS 4.5.4 and later\n * QTS 4.3.6 and later\n * QTS 4.3.4 and later\n * QTS 4.3.3 and later\n * QTS 4.2.6 and later\n * QuTS hero h5.0.x and later\n * QuTS hero h4.5.4 and later\n * QuTScloud c5.0.x\n\nThough QNAP said it\u2019s not aware of any exploits for the bug, [a security advisory](<https://www.csirt.gov.it/contenuti/rilevata-vulnerabilita-in-openssl-al02-220316-csirt-ita>) issued by Italy\u2019s national cybersecurity agency, CSIRT, suggests that it already is being exploited in the wild.\n\n## **QNAP Under Fire**\n\nQNAP devices have indeed had their share of cybersecurity woes in the past several months, a number of which are ongoing.\n\nAs the company readies a fix for the OpenSSL flaw, it\u2019s also working on another patch for the so-called [Dirty Pipe Linux kernel flaw](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/linux-dirty-pipe-vulnerability-gives-unprivileged-users-root-access/>) discovered earlier this month, which also currently has no mitigation on QNAP NAS devices. The flaw, a local privilege-escalation vulnerability, affects the Linux kernel on [QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x](<https://threatpost.com/most-qnap-nas-devices-affected-by-dirty-pipe-linux-flaw/178920/>).\n\nAttackers also have been pummeling QNAP devices with both ransomware and brute-force attacks since the beginning of the year, the [latter of which](<https://threatpost.com/qnap-nas-devices-ransomware-attacks/177452/>) prompted the vendor to urge customers to get their internet-exposed NAS devices off the internet.\n\nIn late January, QNAP forced out an unexpected and not entirely welcome update to its customers\u2019 NAS devices after [warning them](<https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-stop-your-nas-from-exposing-to-the-internet-and-fight-against-ransomware-together>) that [the DeadBolt ransomware](<https://threatpost.com/conti-deadbolt-delta-qnap-ransomware/178083/>) was mounting an offensive against them. And just last week, reports surfaced that [DeadBolt was at it](<https://threatpost.com/deadbolt-ransomware-qnap-again/179057/>) again in a new wave of attacks against QNAP.\n\nThe current OpenSSL scenario also is not the first time the vendor\u2019s devices were rattled by a flaw in the cryptography library. Last August, [two vulnerabilities](<https://threatpost.com/qnap-openssl-bugs/169054/>) tracked as [CVE-2021-3711](<https://www.qnap.com/en-us/security-advisory/QSA-21-39>) and [CVE-2021-3712](<https://www.qnap.com/en-us/security-advisory/QSA-21-40>) that respectively could cause remote-code execution (RCE) and DoS also prompted a security advisory and eventually emergency patches by QNAP.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T13:22:49", "type": "threatpost", "title": "QNAP Customers Adrift, Waiting on Fix for OpenSSL Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712", "CVE-2021-44228", "CVE-2022-0778"], "modified": "2022-03-31T13:22:49", "id": "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "href": "https://threatpost.com/qnap-customers-adrift-fix-openssl-bug/179197/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T14:21:48", "description": "Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot and more in the form of fake applications.\n\nThe patch came as part of the computing giant\u2019s December Patch Tuesday update, which included a total of 67 fixes for security vulnerabilities. The patches cover the waterfront of Microsoft\u2019s portfolio, affecting ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack.\n\nSeven of the bugs addressed are rated critical, six were previously disclosed as zero-days and 60 are considered \u201cimportant.\u201d\n\nThe update brings the total number of CVEs patched by Microsoft this year to 887, which is down 29 percent in volume from a very busy 2020.\n\n## **Zero-Day Exploited in Wild**\n\nThe zero-day ([CVE-2021-43890](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890>)) is an important-rated spoofing vulnerability in the Windows AppX Installer, which is a utility for side-loading Windows 10 apps, available on the App Store.\n\nKevin Breen, director of cyber-threat research at Immersive Labs, explained that the bug \u201callows an attacker to create a malicious package file and then modify it to look like a legitimate application, and has been used to deliver Emotet malware, which [made a comeback](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) this year.\u201d\n\nBreen warned, \u201cthe patch should mean that packages can no longer be spoofed to appear as valid, but it will not stop attackers from sending links or attachments to these files.\u201d\n\nPrior to its fix today, the bug was seen in multiple attacks associated with Emotet, TrickBot and Bazaloader, according to Satnam Narang, staff research engineer at Tenable.\n\n\u201cTo exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would be conducted through a phishing attack,\u201d he explained via email. \u201cOnce exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim\u2019s account has administrative privileges on the system.\u201d\n\nIf patching isn\u2019t an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.\n\n## **Other Publicly Known Microsoft Vulnerabilities**\n\nIt\u2019s worth noting that Microsoft also patched [CVE-2021-43883](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883>), a privilege-escalation vulnerability in Windows Installer, for which [there\u2019s been an exploit circulating](<https://threatpost.com/attackers-target-windows-installer-bug/176558/>), and, reportedly, active targeting by attackers \u2013 even though Microsoft said it has seen no exploitation.\n\n\u201cThis appears to be a fix for a patch bypass of [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), another elevation-of-privilege vulnerability in Windows Installer that was reportedly fixed in November,\u201d Narang said. \u201cHowever, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.\u201d\n\nBreen noted that this kind of vulnerability is highly sought after by attackers looking to move laterally across a network.\n\n\u201cAfter gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools and deploy additional malware or tools like Mimikatz,\u201d he said. \u201cAlmost all ransomware attacks in the last year employed some form of privilege escalation as a key component of the attack prior to launching ransomware.\u201d\n\nFour other bugs were listed as \u201cpublicly known\u201d but not exploited, all rated important and allowing privilege escalation:\n\n * [CVE-2021-43240](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43240>), a NTFS Set Short Name\n * [CVE-2021-43893](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893>), a Windows Encrypting File System (EFS)\n * [CVE-2021-43880](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43880>), Windows Mobile Device Management\n * [CVE-2021-41333](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41333>), Windows Print Spooler\n\nThe update does not address CVE-2021-24084, an unpatched Windows security vulnerability [disclosed in late November](<https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/>), which could allow information disclosure and local privilege escalation (LPE).\n\n## **Critical-Rated Microsoft Security Bugs for December**\n\n 1. ### **CVE-2021-43215 in iSNS Server**\n\nThe first critical bug ([CVE-2021-43215](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43215>)) to cover allows remote code-execution (RCE) on the Internet Storage Name Service (iSNS) server, which enables automated discovery and management of iSCSI devices on a TCP/IP storage network. It rates 9.8 out of 10 on the vulnerability-severity scale.\n\nThe bug can be exploited if an attacker sends a specially crafted request to an affected server, according to Microsoft\u2019s advisory.\n\n\u201cIn other words, if you\u2019re running a storage-area network (SAN) in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually,\u201d said Trend Micro Zero Day Initiative researcher Dustin Childs, in a [Tuesday blog](<https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review>). \u201cIf you have a SAN, prioritize testing and deploying this patch.\u201d\n\nBreen concurred that it\u2019s critical to patch quickly if an organization operates iSNS services.\n\n\u201cRemember that this is not a default component, so check this before you bump it up the list,\u201d he said via email. However, \u201cas this protocol is used to facilitate data storage over the network, it would be a high priority target for attackers looking to damage an organization\u2019s ability to recover from attacks like ransomware. These services are also typically trusted from a network perspective \u2013 which is another reason attackers would choose this kind of target.\u201d\n\n 2. ### **CVE-2021-43907 in Visual Studio Code WSL Extension**\n\nAnother 9.8-out-of-10-rated bug is [CVE-2021-43907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43907>), an RCE issue in Visual Studio Code WSL Extension that Microsoft said can be exploited by an unauthenticated attacker, with no user interaction. It didn\u2019t provide further details.\n\n\u201cThis impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code,\u201d Childs explained. \u201cIt allows you to develop in a Linux-based environment, use Linux-specific tool chains and utilities, and run and debug Linux-based applications all from within Windows. This sort of cross-platform functionality is used by many in the DevOps community.\u201d\n\n 3. ### **CVE-2021-43899 \u2013 Microsoft 4K Wireless Display Adapter **\n\nThe third and final 9.8 CVSS-rate bug is [CVE-2021-43899](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43899>), which also allows RCE on an affected device, if the attacker has a foothold on the same network as the Microsoft 4K Display Adapter. Exploitation is a matter of sending specially crafted packets to the affected device, according to Microsoft.\n\n\u201cPatching this won\u2019t be an easy chore,\u201d Childs said. \u201cTo be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can [they] use the \u2018Update & Security\u2019 section of the app to download the latest firmware to mitigate this bug.\u201d\n\n 4. ### **CVE-2021-43905 in Microsoft Office**\n\nAnother critical RCE bug ([CVE-2021-43905](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43905>)) exists in the Microsoft Office app; it rates 9.6 on the CVSS vulnerability-severity scale, and Microsoft marked it as \u201cexploitation more likely.\u201d\n\n\u201cVery little is given away in the advisory to identify what the immediate risk is \u2013 it simply states the affected product as \u2018Office App,'\u201d Breen noted. \u201cThis can make it difficult for security teams to prioritize or put mitigations in place if quick patching is not available \u2013 especially when security teams are already tied down with other critical patching.\u201d\n\nHowever, Aleks Haugom, researcher at Automox, said it should be a priority for patching.\n\n\u201cAs a low-complexity vulnerability, an attacker can expect repeated results,\u201d he said in a [Tuesday analysis](<https://blog.automox.com/automox-experts-weigh-in-on-december-2021-patch-tuesday-release>). \u201cAlthough Microsoft has not disclosed exactly what user interaction is required for the attacker to succeed they have confirmed that the Preview Pane is not an attacker vector. Given that this threat can impact resources beyond the security scope managed by the security authority immediate remediation actions are advised.\u201d\n\n 5. ### **CVE-2021-42310** **in Microsoft Defender for IoT**\n\nOne of 10 issues found in Defender for IoT, this bug ([CVE-2021-42310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42310>)) allows RCE and rates 8.1 on the CVSS scale.\n\n\u201cA password reset request consists of a signed JSON document, a signing certificate, and an intermediate certificate that was used to sign the signing certificate,\u201d explained Childs. \u201cThe intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else\u2019s password. Patching these bugs requires a sysadmin to [take action](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-manage-the-on-premises-management-console#update-the-software-version>) on the device itself.\u201d\n\nThe other nine bugs in the platform include seven other RCE vulnerabilities, one elevation of privilege vulnerability and one data disclosure vulnerability, all rated \u201cimportant.\u201d\n\n 6. ### **CVE-2021-43217 in the Windows Encrypting File System (EFS) **\n\nThis bug ([CVE-2021-43217](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43217>)) allows RCE and rates 8.1 on the CVSS scale.\n\n\u201cAn attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn\u2019t running at the time,\u201d Childs explained. \u201cEFS interfaces can trigger a start of the EFS service if it is not running.\u201d\n\nJay Goodman, in the Automox posting, noted that it can be chained with the publicly disclosed elevation of privilege vulnerability in EFS and thus presents a special threat.\n\n\u201cWhile either of these vulnerabilities constitute impactful disclosures that need to be handled quickly, the combination of the two in a near universal service critical to securing and protecting data creates a unique situation,\u201d he said. \u201cAttacks could use the combination of RCE with privilege elevation to quickly deploy, elevate and execute code on a target system with full system rights. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread laterally.\u201d\n\nIn other words: This is a critical pair of vulnerabilities to address as soon as possible to minimize organizational risk.\n\n 7. ### **CVE-2021-43233 in Remote Desktop Client **\n\nThe flaw ([CVE-2021-43233](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43233>)) allows RCE and rates 7 on the CVSS scale. It\u2019s listed as \u201cexploitation more likely.\u201d\n\n\u201cThis one\u2026would likely require a social engineering or phishing component to be successful,\u201d Breen explained. \u201cA similar vulnerability, [CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>), was reported and patched in November. While it was also marked as \u2018exploitation more likely,\u2019 thankfully there have been no reports of proof-of-concept code or of it being exploited in the wild, which goes to show how important it is to make your own risk-based approach to prioritizing patches.\u201d\n\nAutomox researcher Gina Geisel emphasized the bug\u2019s high complexity for exploitation.\n\n\u201cTo exploit this vulnerability, an attacker requires control of a server and then must convince users to connect to it, through social engineering, DNS poisoning or using a man-in-the-middle (MITM) technique, as examples,\u201d she said. \u201cAn attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.\u201d\n\n## **Other Microsoft Bugs of Note for December**\n\nChilds also flagged [CVE-2021-42309](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42309>), an RCE issue in Microsoft SharePoint Server, as a vulnerability to prioritize. It allows an attacker to bypass the restriction against running arbitrary server-side web controls.\n\n\u201cThe vulnerability allows a user to elevate and execute code in the context of the service account,\u201d he explained. \u201cAn attacker would need \u2018Manage Lists\u2019 permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions.\u201d\n\nHe said the issue is similar to the previously patched [CVE-2021-28474](<https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict>), except that the unsafe control \u201cis \u2018smuggled\u2019 in a property of an allowed control.\u201d\n\nOperating system bugs should be prioritized, researchers added.\n\n\u201cThe disclosures include a functional example in the case of the Print Spooler, proof-of-concept for the NTFS and Windows Installer vulnerabilities, so there is some cause to put urgency on the OS updates this month,\u201d Chris Goettl, vice president of product management at Ivanti, told Threatpost.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-14T22:21:35", "type": "threatpost", "title": "Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-28474", "CVE-2021-38666", "CVE-2021-41333", "CVE-2021-41379", "CVE-2021-42309", "CVE-2021-42310", "CVE-2021-43215", "CVE-2021-43217", "CVE-2021-43233", "CVE-2021-43240", "CVE-2021-43880", "CVE-2021-43883", "CVE-2021-43890", "CVE-2021-43893", "CVE-2021-43899", "CVE-2021-43905", "CVE-2021-43907"], "modified": "2021-12-14T22:21:35", "id": "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80", "href": "https://threatpost.com/exploited-microsoft-zero-day-spoofing-malware/177045/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-05-23T16:29:58", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nRemote code execution vulnerabilities were found in Microsoft Apps. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\n3D Viewer\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-43208](<https://nvd.nist.gov/vuln/detail/CVE-2021-43208>) \n[CVE-2021-43209](<https://nvd.nist.gov/vuln/detail/CVE-2021-43209>) \n\n\n### *Impacts*:\nACE", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12340 RCE vulnerabilities in Microsoft Apps", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-25T00:00:00", "id": "KLA12340", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12340/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:29:59", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nRemote code execution vulnerability was found in Microsoft System Center. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Malware Protection Engine\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42298](<https://nvd.nist.gov/vuln/detail/CVE-2021-42298>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Windows Defender](<https://threats.kaspersky.com/en/product/Windows-Defender/>)\n\n### *CVE-IDS*:\n[CVE-2021-42298](<https://vulners.com/cve/CVE-2021-42298>)9.3Critical\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12339 RCE vulnerability in Microsoft System Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2022-01-18T00:00:00", "id": "KLA12339", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12339/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:29:55", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Dynamics. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Dynamics 365 (on-premises) version 9.0 \nMicrosoft Dynamics 365 (on-premises) version 9.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42316](<https://nvd.nist.gov/vuln/detail/CVE-2021-42316>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Dynamics 365](<https://threats.kaspersky.com/en/product/Microsoft-Dynamics-365/>)\n\n### *KB list*:\n[5008478](<http://support.microsoft.com/kb/5008478>) \n[5008479](<http://support.microsoft.com/kb/5008479>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12343 RCE vulnerability in Microsoft Dynamics", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-25T00:00:00", "id": "KLA12343", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12343/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:29:49", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based) in IE Mode \nChakraCore\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41351](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41351>) \n[CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *KB list*:\n[5007206](<http://support.microsoft.com/kb/5007206>) \n[5007186](<http://support.microsoft.com/kb/5007186>) \n[5007215](<http://support.microsoft.com/kb/5007215>) \n[5007189](<http://support.microsoft.com/kb/5007189>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12349 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41351", "CVE-2021-42279"], "modified": "2022-08-04T00:00:00", "id": "KLA12349", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12349/", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:29:57", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nRemote Desktop client for Windows Desktop \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://vulners.com/cve/CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://vulners.com/cve/CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://vulners.com/cve/CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://vulners.com/cve/CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://vulners.com/cve/CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://vulners.com/cve/CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://vulners.com/cve/CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://vulners.com/cve/CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://vulners.com/cve/CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://vulners.com/cve/CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://vulners.com/cve/CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://vulners.com/cve/CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://vulners.com/cve/CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://vulners.com/cve/CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://vulners.com/cve/CVE-2021-42287>)6.5High\n\n### *KB list*:\n[5007233](<http://support.microsoft.com/kb/5007233>) \n[5007236](<http://support.microsoft.com/kb/5007236>) \n[5007263](<http://support.microsoft.com/kb/5007263>) \n[5007246](<http://support.microsoft.com/kb/5007246>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12341 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-01-18T00:00:00", "id": "KLA12341", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12341/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:55:11", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-26443](<https://nvd.nist.gov/vuln/detail/CVE-2021-26443>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42280](<https://nvd.nist.gov/vuln/detail/CVE-2021-42280>) \n[CVE-2021-42288](<https://nvd.nist.gov/vuln/detail/CVE-2021-42288>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-42276](<https://nvd.nist.gov/vuln/detail/CVE-2021-42276>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-36957](<https://nvd.nist.gov/vuln/detail/CVE-2021-36957>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42279](<https://nvd.nist.gov/vuln/detail/CVE-2021-42279>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n[CVE-2021-42284](<https://nvd.nist.gov/vuln/detail/CVE-2021-42284>) \n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-42286](<https://nvd.nist.gov/vuln/detail/CVE-2021-42286>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-42274](<https://nvd.nist.gov/vuln/detail/CVE-2021-42274>) \n[CVE-2021-42277](<https://nvd.nist.gov/vuln/detail/CVE-2021-42277>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-41378](<https://nvd.nist.gov/vuln/detail/CVE-2021-41378>) \n[CVE-2021-41356](<https://nvd.nist.gov/vuln/detail/CVE-2021-41356>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-41366](<https://nvd.nist.gov/vuln/detail/CVE-2021-41366>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://vulners.com/cve/CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://vulners.com/cve/CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://vulners.com/cve/CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://vulners.com/cve/CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://vulners.com/cve/CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://vulners.com/cve/CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://vulners.com/cve/CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://vulners.com/cve/CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://vulners.com/cve/CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://vulners.com/cve/CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://vulners.com/cve/CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://vulners.com/cve/CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://vulners.com/cve/CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://vulners.com/cve/CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://vulners.com/cve/CVE-2021-42287>)6.5High \n[CVE-2021-26443](<https://vulners.com/cve/CVE-2021-26443>)7.7Critical \n[CVE-2021-42280](<https://vulners.com/cve/CVE-2021-42280>)4.6Warning \n[CVE-2021-42288](<https://vulners.com/cve/CVE-2021-42288>)3.6Warning \n[CVE-2021-42276](<https://vulners.com/cve/CVE-2021-42276>)6.8High \n[CVE-2021-36957](<https://vulners.com/cve/CVE-2021-36957>)4.6Warning \n[CVE-2021-42279](<https://vulners.com/cve/CVE-2021-42279>)5.1High \n[CVE-2021-42284](<https://vulners.com/cve/CVE-2021-42284>)7.1High \n[CVE-2021-42286](<https://vulners.com/cve/CVE-2021-42286>)4.6Warning \n[CVE-2021-42274](<https://vulners.com/cve/CVE-2021-42274>)2.1Warning \n[CVE-2021-42277](<https://vulners.com/cve/CVE-2021-42277>)4.6Warning \n[CVE-2021-41378](<https://vulners.com/cve/CVE-2021-41378>)6.5High \n[CVE-2021-41356](<https://vulners.com/cve/CVE-2021-41356>)5.0Critical \n[CVE-2021-41366](<https://vulners.com/cve/CVE-2021-41366>)4.6Warning\n\n### *KB list*:\n[5007260](<http://support.microsoft.com/kb/5007260>) \n[5007255](<http://support.microsoft.com/kb/5007255>) \n[5007206](<http://support.microsoft.com/kb/5007206>) \n[5007207](<http://support.microsoft.com/kb/5007207>) \n[5007186](<http://support.microsoft.com/kb/5007186>) \n[5007192](<http://support.microsoft.com/kb/5007192>) \n[5007215](<http://support.microsoft.com/kb/5007215>) \n[5007205](<http://support.microsoft.com/kb/5007205>) \n[5007245](<http://support.microsoft.com/kb/5007245>) \n[5007247](<http://support.microsoft.com/kb/5007247>) \n[5007189](<http://support.microsoft.com/kb/5007189>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12345 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-01-18T00:00:00", "id": "KLA12345", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12345/", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:29:56", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to perform cross-site scripting attack, execute arbitrary code, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Exchange Server 2019 Cumulative Update 10 \nMicrosoft Exchange Server 2019 Cumulative Update 11 \nMicrosoft Exchange Server 2013 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 22 \nMicrosoft Exchange Server 2016 Cumulative Update 21\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41349](<https://nvd.nist.gov/vuln/detail/CVE-2021-41349>) \n[CVE-2021-42321](<https://nvd.nist.gov/vuln/detail/CVE-2021-42321>) \n[CVE-2021-42305](<https://nvd.nist.gov/vuln/detail/CVE-2021-42305>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-41349](<https://vulners.com/cve/CVE-2021-41349>)4.3Warning \n[CVE-2021-42321](<https://vulners.com/cve/CVE-2021-42321>)6.5High \n[CVE-2021-42305](<https://vulners.com/cve/CVE-2021-42305>)4.3Warning\n\n### *KB list*:\n[5007409](<http://support.microsoft.com/kb/5007409>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12342 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2022-01-18T00:00:00", "id": "KLA12342", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12342/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:30:01", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nMicrosoft Office Online Server \nMicrosoft Office 2019 for Mac \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft Excel 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2019 for 32-bit editions \nMicrosoft 365 Apps for Enterprise for 32-bit Systems \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Excel 2016 (32-bit edition) \nMicrosoft 365 Apps for Enterprise for 64-bit Systems \nMicrosoft Office Web Apps Server 2013 Service Pack 1 \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nMicrosoft Excel 2016 (64-bit edition) \nMicrosoft Excel 2013 Service Pack 1 (32-bit editions) \nMicrosoft Excel 2013 RT Service Pack 1 \nMicrosoft Office LTSC 2021 for 32-bit editions \nMicrosoft Office LTSC for Mac 2021 \nMicrosoft Office 2019 for 64-bit editions \nMicrosoft SharePoint Enterprise Server 2013 Service Pack 1 \nMicrosoft Office LTSC 2021 for 64-bit editions\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42292](<https://nvd.nist.gov/vuln/detail/CVE-2021-42292>) \n[CVE-2021-40442](<https://nvd.nist.gov/vuln/detail/CVE-2021-40442>) \n[CVE-2021-42296](<https://nvd.nist.gov/vuln/detail/CVE-2021-42296>) \n[CVE-2021-41368](<https://nvd.nist.gov/vuln/detail/CVE-2021-41368>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2021-42292](<https://vulners.com/cve/CVE-2021-42292>)6.8High \n[CVE-2021-40442](<https://vulners.com/cve/CVE-2021-40442>)6.8High \n[CVE-2021-42296](<https://vulners.com/cve/CVE-2021-42296>)6.9High \n[CVE-2021-41368](<https://vulners.com/cve/CVE-2021-41368>)6.8High\n\n### *KB list*:\n[5002072](<http://support.microsoft.com/kb/5002072>) \n[5002056](<http://support.microsoft.com/kb/5002056>) \n[4486670](<http://support.microsoft.com/kb/4486670>) \n[5002032](<http://support.microsoft.com/kb/5002032>) \n[5002065](<http://support.microsoft.com/kb/5002065>) \n[5002035](<http://support.microsoft.com/kb/5002035>) \n[5002038](<http://support.microsoft.com/kb/5002038>) \n[5002063](<http://support.microsoft.com/kb/5002063>) \n[5002053](<http://support.microsoft.com/kb/5002053>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12337 Multiple vulnerabilities in Microsoft Office", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40442", "CVE-2021-41368", "CVE-2021-42292", "CVE-2021-42296"], "modified": "2023-03-21T00:00:00", "id": "KLA12337", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12337/", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:29:52", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code.\n\n### *Affected products*:\nVisual Studio Code \nMicrosoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8) \nMicrosoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6) \nMicrosoft Visual Studio 2015 Update 3 \nMicrosoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42277](<https://nvd.nist.gov/vuln/detail/CVE-2021-42277>) \n[CVE-2021-42322](<https://nvd.nist.gov/vuln/detail/CVE-2021-42322>) \n[CVE-2021-42319](<https://nvd.nist.gov/vuln/detail/CVE-2021-42319>) \n[CVE-2021-3711](<https://nvd.nist.gov/vuln/detail/CVE-2021-3711>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *KB list*:\n[5007275](<http://support.microsoft.com/kb/5007275>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12346 Multiple vulnerabilities in Microsoft Developer Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711", "CVE-2021-42277", "CVE-2021-42319", "CVE-2021-42322"], "modified": "2021-11-25T00:00:00", "id": "KLA12346", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12346/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-23T15:47:43", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43209.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-43208", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-15T19:39:00", "cpe": [], "id": "CVE-2021-43208", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43208", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-23T15:47:43", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43208.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-43209", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-17T02:32:00", "cpe": [], "id": "CVE-2021-43209", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43209", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-23T15:39:07", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41371.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-10T01:18:00", "type": "cve", "title": "CVE-2021-38631", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-12T18:59:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-38631", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38631", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:44:41", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-38631.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-41371", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-10T21:19:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-41371", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41371", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:31:50", "description": "Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-10T01:16:00", "type": "cve", "title": "CVE-2021-26443", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443"], "modified": "2021-11-10T16:01:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:21h1"], "id": "CVE-2021-26443", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26443", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*"]}, {"lastseen": "2023-05-23T15:46:15", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42298", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2021-11-17T19:34:00", "cpe": [], "id": "CVE-2021-42298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42298", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-05-23T15:46:11", "description": "Chakra Scripting Engine Memory Corruption Vulnerability", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42279", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42279"], "modified": "2021-11-12T18:56:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-42279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42279", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:39:13", "description": "Remote Desktop Client Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:18:00", "type": "cve", "title": "CVE-2021-38666", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38666"], "modified": "2021-11-10T16:38:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-38666", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38666", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:46:13", "description": "Microsoft Excel Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42292", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42292"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office_long_term_servicing_channel:2021", "cpe:/a:microsoft:office:2016", "cpe:/a:microsoft:365_apps:-", "cpe:/a:microsoft:excel:2013", "cpe:/a:microsoft:office:2019"], "id": "CVE-2021-42292", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42292", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:*", "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*", "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*", "cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*", "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:*:*", "cpe:2.3:a:microsoft:office:2019:*:*:*:*:-:*:*"]}, {"lastseen": "2023-05-23T15:46:21", "description": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42316", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-15T19:46:00", "cpe": ["cpe:/a:microsoft:dynamics_365:9.1", "cpe:/a:microsoft:dynamics_365:9.0"], "id": "CVE-2021-42316", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42316", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:dynamics_365:9.1:*:*:*:on-premises:*:*:*", "cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*"]}, {"lastseen": "2023-05-23T15:46:18", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42321", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-08-29T18:59:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-42321", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:36:05", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-24T15:15:00", "type": "cve", "title": "CVE-2021-3711", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711"], "modified": "2022-12-06T21:23:00", "cpe": ["cpe:/a:netapp:oncommand_insight:-", "cpe:/a:oracle:zfs_storage_appliance_kit:8.8", "cpe:/a:oracle:enterprise_communications_broker:3.2.0", "cpe:/a:oracle:mysql_connectors:8.0.27", "cpe:/a:tenable:nessus_network_monitor:5.13.1", "cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0", "cpe:/a:oracle:communications_session_border_controller:9.0", "cpe:/a:oracle:health_sciences_inform_publisher:6.2.1.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:netapp:e-series_santricity_os_controller:11.50.2", "cpe:/a:tenable:tenable.sc:5.19.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:oracle:enterprise_communications_broker:3.3.0", "cpe:/a:netapp:hci_management_node:-", "cpe:/a:netapp:clustered_data_ontap_antivirus_connector:-", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:oracle:health_sciences_inform_publisher:6.3.1.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58", "cpe:/a:netapp:manageability_software_development_kit:-", "cpe:/o:debian:debian_linux:11.0", "cpe:/a:netapp:snapcenter:-", "cpe:/a:oracle:enterprise_session_border_controller:9.0", "cpe:/a:oracle:communications_unified_session_manager:8.4.5", "cpe:/a:netapp:storage_encryption:-", "cpe:/a:oracle:communications_session_border_controller:8.4", "cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0", "cpe:/a:oracle:mysql_enterprise_monitor:8.0.25", "cpe:/a:oracle:enterprise_session_border_controller:8.4", "cpe:/a:oracle:mysql_server:8.0.26", "cpe:/a:oracle:jd_edwards_world_security:a9.4", "cpe:/a:netapp:santricity_smi-s_provider:-", "cpe:/a:netapp:clustered_data_ontap:-", "cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/a:oracle:mysql_server:5.7.35", "cpe:/a:netapp:solidfire:-", "cpe:/a:oracle:communications_unified_session_manager:8.2.5"], "id": "CVE-2021-3711", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3711", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_server:5.7.35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:tenable:nessus_network_monitor:5.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_connectors:8.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_server:8.0.26:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "cpe:2.3:a:tenable:tenable.sc:5.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_session_manager:8.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_session_manager:8.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_encryption:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*"]}], "mscve": [{"lastseen": "2023-05-23T16:35:33", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43208.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "3D Viewer Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-43209", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43209", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43209.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "3D Viewer Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-43208", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43208", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:35", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41371.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-38631", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38631", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-23T16:35:35", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-38631.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-41371", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41371", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-27T14:46:18", "description": "Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443"], "modified": "2021-11-12T08:00:00", "id": "MS:CVE-2021-26443", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26443", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:35:31", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Defender Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-42298", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42298", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:35:34", "description": "Chakra Scripting Engine Memory Corruption Vulnerability", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Chakra Scripting Engine Memory Corruption Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42279"], "modified": "2022-08-03T07:00:00", "id": "MS:CVE-2021-42279", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42279", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:31", "description": "Microsoft Excel Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Excel Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42292"], "modified": "2021-11-16T08:00:00", "id": "MS:CVE-2021-42292", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "Remote Desktop Client Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Remote Desktop Client Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38666"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-38666", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38666", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-12T08:00:00", "id": "MS:CVE-2021-42316", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42316", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:31", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-06-21T07:00:00", "id": "MS:CVE-2021-42321", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:35", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711"], "modified": "2022-03-08T08:00:00", "id": "MS:CVE-2021-3711", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:35:17", "description": "The version of the Microsoft 3D Viewer app installed on the remote host is prior to 7.2107.7012.0. It is, therefore, affected by multiple remote code execution vulnerabilities. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Microsoft 3D Viewer Multiple Vulnerabilities (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-18T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOVEMBER_3DVIEWER.NASL", "href": "https://www.tenable.com/plugins/nessus/154988", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154988);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/18\");\n\n script_cve_id(\"CVE-2021-43208\", \"CVE-2021-43209\");\n\n script_name(english:\"Microsoft 3D Viewer Multiple Vulnerabilities (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows app installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Microsoft 3D Viewer app installed on the remote host is prior to 7.2107.7012.0. It is, therefore,\naffected by multiple remote code execution vulnerabilities. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to app version 7.2107.7012.0., or later via the Microsoft Store.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-43209\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"wmi_enum_windows_app_store.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"WMI/Windows App Store/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar apps = ['Microsoft.Microsoft3DViewer'];\n\nvar app_info = vcf::microsoft_appstore::get_app_info(app_list:apps);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'fixed_version' : '7.2107.7012.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-31T14:37:52", "description": "The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host is equal or prior to 1.1.18700.3. It is, therefore, affected by a remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Windows Defender (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-42298"], "modified": "2022-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_defender"], "id": "SMB_NT_MS21_NOV_WIN_DEFENDER.NASL", "href": "https://www.tenable.com/plugins/nessus/154991", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154991);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/14\");\n\n script_cve_id(\"CVE-2021-42298\");\n script_xref(name:\"IAVA\", value:\"2022-A-0005\");\n\n script_name(english:\"Security Updates for Windows Defender (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host is equal or\nprior to 1.1.18700.3. It is, therefore, affected by a remote code execution vulnerability. An attacker can exploit this\nto bypass authentication and execute unauthorized arbitrary commands.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298\");\n # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3bed4ba6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42298\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"installed_sw/Windows Defender\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'Windows Defender';\n\nvar app_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if disabled\nif (!isnull(app_info['Disabled']))\n exit(0,'Windows Defender is disabled.');\n\n# Check if we got the Malware Engine Version\nif (isnull(app_info['Engine Version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nvar constraints = [{'fixed_version':'1.1.18700.3'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'Engine Version');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:43", "description": "The Microsoft Dynamics 365 (on-premises) is missing a security update. It is, therefore, affected by the following vulnerability:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42316)", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Dynamics 365 (on-premises) (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-18T00:00:00", "cpe": ["cpe:/a:microsoft:dynamics_365"], "id": "SMB_NT_MS21_NOV_MICROSOFT_DYNAMICS.NASL", "href": "https://www.tenable.com/plugins/nessus/155174", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155174);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/18\");\n\n script_cve_id(\"CVE-2021-42316\");\n script_xref(name:\"IAVA\", value:\"2021-A-0540\");\n script_xref(name:\"MSKB\", value:\"5008478\");\n script_xref(name:\"MSKB\", value:\"5008479\");\n script_xref(name:\"MSFT\", value:\"MS21-5008478\");\n script_xref(name:\"MSFT\", value:\"MS21-5008479\");\n\n script_name(english:\"Security Updates for Microsoft Dynamics 365 (on-premises) (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Dynamics 365 (on-premises) is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Dynamics 365 (on-premises) is missing a security update. It is, therefore, affected by the following\nvulnerability:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42316)\");\n # https://support.microsoft.com/en-us/topic/service-update-1-6-for-microsoft-dynamics-crm-on-premises-9-1-8a8401c0-b8c8-4288-8c01-59d15692f2ed\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?98abf18c\");\n # https://support.microsoft.com/en-us/topic/service-update-034-for-microsoft-dynamics-crm-on-premises-90-bd536c34-0357-4576-818f-03d80fe4f5db\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70225975\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5008478\n -KB5008479\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42316\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:dynamics_365\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_dynamics_365_detect.nbin\");\n script_require_keys(\"installed_sw/Microsoft Dynamics 365 Server\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app = 'Microsoft Dynamics 365 Server';\nvar app_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nvar constraints = [\n { 'min_version' : '9.0', 'fixed_version' : '9.0.34.5', 'fixed_display' : 'Update v9.0 (on-premises) Update 0.34' },\n { 'min_version' : '9.1', 'fixed_version' : '9.1.6.3', 'fixed_display' : 'Update v9.1 (on-premises) Update 1.6' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:54", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42276, CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007215: Windows 11 Security Updates (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2022-11-21T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007215.NASL", "href": "https://www.tenable.com/plugins/nessus/154997", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154997);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/21\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSKB\", value:\"5007215\");\n script_xref(name:\"MSFT\", value:\"MS21-5007215\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007215: Windows 11 Security Updates (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42276,\n CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007215\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007215 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007215');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n rollup_date:'11_2021',\n os_build:'22000',\n bulletin:bulletin,\n rollup_kb_list:[5007215])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:38", "description": "The Windows installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007207: Windows 10 LTS 1507 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007207.NASL", "href": "https://www.tenable.com/plugins/nessus/154987", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154987);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSFT\", value:\"MS21-5007207\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007207: Windows 10 LTS 1507 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute \n unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component\n to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive\n information.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007207\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42275\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-11';\nkbs = make_list(\n '5007207'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007207])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007189: Windows 10 Version 1909 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42288"], "modified": "2022-11-21T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007189.NASL", "href": "https://www.tenable.com/plugins/nessus/154989", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154989);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/21\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42288\"\n );\n script_xref(name:\"MSKB\", value:\"5007189\");\n script_xref(name:\"MSFT\", value:\"MS21-5007189\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007189: Windows 10 Version 1909 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007189\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007189.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007189');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'18363',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007189])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:54", "description": "The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-40442)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Excel Products (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:excel"], "id": "SMB_NT_MS21_NOV_EXCEL.NASL", "href": "https://www.tenable.com/plugins/nessus/154982", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154982);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-42292\");\n script_xref(name:\"MSKB\", value:\"5002056\");\n script_xref(name:\"MSKB\", value:\"5002072\");\n script_xref(name:\"MSFT\", value:\"MS21-5002056\");\n script_xref(name:\"MSFT\", value:\"MS21-5002072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0541\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Security Updates for Microsoft Excel Products (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Excel Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-40442)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002056\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002072\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5002056\n -KB5002072\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_office_compatibility_pack_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\nvar kbs = make_list(\n '5002072',\n '5002056'\n);\n\nvar constraints = [\n { 'kb':'5002072', 'fixed_version': '15.0.5397.1001', 'sp' : 1},\n { 'kb':'5002056', 'channel':'MSI', 'fixed_version': '16.0.5239.1001', 'sp' : 0}\n];\n\nvcf::microsoft::office_product::check_version_and_report(\n kbs:kbs,\n constraints:constraints,\n severity:SECURITY_WARNING,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:23", "description": "The Microsoft Office product installed on the remote host is affected by multiple vulnerabilities, as follows:\n\n - A remote code execution vulnerability in Excel that can be exploited by an unauthenticated, local attacker. (CVE-2021-40442)\n\n - A security feature bypass vulnerability in Excel that can be exploited by an unauthenticated, local attacker. (CVE-2021-42292)\n\n Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office (November 2021) (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:office", "cpe:/a:microsoft:excel"], "id": "MACOS_MS21_NOV_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/155448", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155448);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-42292\");\n script_xref(name:\"IAVA\", value:\"2021-A-0541\");\n script_xref(name:\"IAVA\", value:\"2021-A-0546-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Security Updates for Microsoft Office (November 2021) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office product installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office product installed on the remote host is affected by multiple vulnerabilities, as follows:\n\n - A remote code execution vulnerability in Excel that can be exploited by an unauthenticated, local\n attacker. (CVE-2021-40442)\n\n - A security feature bypass vulnerability in Excel that can be exploited by an unauthenticated, local\n attacker. (CVE-2021-42292)\n\n \nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-for-mac\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?43ed1b90\");\n # https://docs.microsoft.com/en-us/officeupdates/release-notes-office-for-mac#november-16-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?945bbaf2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Office for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_office_installed.nbin\");\n script_require_keys(\"Host/MacOSX/Version\", \"installed_sw/Microsoft Excel\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar os = get_kb_item_or_exit('Host/MacOSX/Version');\nvar apps = make_list('Microsoft Excel');\nvar report = '';\n\n#2019\nvar min_ver_19 = '16.17.0';\nvar fix_ver_19 = '16.55';\nvar fix_disp_19 = '16.55 (21111400)';\n\nforeach var app (apps)\n{\n var installs = get_installs(app_name:app);\n if (isnull(installs[1]))\n continue;\n\n foreach var install (installs[1])\n {\n var version = install['version'];\n\n if (ver_compare(ver:version, minver:min_ver_19, fix:fix_ver_19, strict:FALSE) < 0)\n {\n var app_label = app + ' for Mac 2019';\n report +=\n '\\n\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_disp_19;\n }\n }\n}\nif (empty(report))\n audit(AUDIT_HOST_NOT, 'affected');\n\nif (os =~ \"^Mac OS X 10\\.([0-9]([^0-9]|$)|1[0-4])\")\n report += '\\n Note : Update will require macOS 10.15.0 or later.\\n';\n\nsecurity_report_v4(severity:SECURITY_WARNING, port:0, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:31:19", "description": "The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-41368)", "cvss3": {}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office Products C2R (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41368", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:office"], "id": "SMB_NT_MS21_NOV_OFFICE_C2R.NASL", "href": "https://www.tenable.com/plugins/nessus/161754", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161754);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-41368\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"IAVA\", value:\"2021-A-0546-S\");\n\n script_name(english:\"Security Updates for Microsoft Office Products C2R (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and\n execute unauthorized arbitrary commands. (CVE-2021-41368)\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-2019\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42ab6861\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd4508ff\");\n script_set_attribute(attribute:\"solution\", value:\n\"For Office 365, Office 2016 C2R, or Office 2019, ensure automatic\nupdates are enabled or open any office app and manually perform an\nupdate.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-41368\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\nvar app_info = vcf::microsoft::office::get_app_info(app:'Microsoft Office');\n\nvar constraints = [\n {'product' : 'Microsoft Office 2016', 'channel':'Deferred', 'channel_version':'2102', 'file':'graph.exe', 'fixed_version': '16.0.13801.21050'},\n {'product' : 'Microsoft Office 2016', 'channel':'Deferred', 'file':'graph.exe', 'fixed_version': '16.0.13127.21820'},\n {'product' : 'Microsoft Office 2016', 'channel':'Microsoft 365 Apps on Windows 7', 'file':'graph.exe', 'fixed_version': '16.0.12527.22060'},\n {'product' : 'Microsoft Office 2016', 'channel':'Enterprise Deferred', 'channel_version':'2109', 'file':'graph.exe', 'fixed_version': '16.0.14430.20342'},\n {'product' : 'Microsoft Office 2016', 'channel':'Enterprise Deferred', 'file':'graph.exe', 'fixed_version': '16.0.14326.20600'},\n {'product' : 'Microsoft Office 2016', 'channel':'First Release for Deferred', 'file':'graph.exe', 'fixed_version': '16.0.14326.20600'},\n {'product' : 'Microsoft Office 2016', 'channel':'2016 Retail', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'},\n {'product' : 'Microsoft Office 2016', 'channel':'Current', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'},\n {'product' : 'Microsoft Office 2019', 'channel':'2019 Volume', 'file':'graph.exe', 'fixed_version': '16.0.10380.20037'},\n {'product' : 'Microsoft Office 2019', 'channel':'2019 Retail', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'},\n {'product' : 'Microsoft Office 2021', 'channel':'LTSC 2021', 'file':'graph.exe', 'fixed_version': '16.0.14332.20176'},\n {'product' : 'Microsoft Office 2021', 'channel':'2021 Retail', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'}\n];\n\nvcf::microsoft::office::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:57", "description": "The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-40442)", "cvss3": {}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Excel Products C2R (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:excel"], "id": "SMB_NT_MS21_NOV_EXCEL_C2R.NASL", "href": "https://www.tenable.com/plugins/nessus/161757", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161757);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-42292\");\n script_xref(name:\"IAVA\", value:\"2021-A-0541\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Security Updates for Microsoft Excel Products C2R (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Excel Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-40442)\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-2019\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42ab6861\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd4508ff\");\n script_set_attribute(attribute:\"solution\", value:\n\"For Office 365, Office 2016 C2R, or Office 2019, ensure automatic\nupdates are enabled or open any office app and manually perform an\nupdate.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_office_compatibility_pack_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\n\nvar constraints = [\n { 'channel':'Deferred', 'channel_version':'2102', 'fixed_version': '16.0.13801.21050'},\n { 'channel':'Deferred', 'fixed_version': '16.0.13127.21820'},\n { 'channel':'Microsoft 365 Apps on Windows 7', 'fixed_version': '16.0.12527.22060'},\n { 'channel':'Enterprise Deferred', 'channel_version':'2109', 'fixed_version': '16.0.14430.20342'},\n { 'channel':'Enterprise Deferred', 'fixed_version': '16.0.14326.20600'},\n { 'channel':'First Release for Deferred', 'fixed_version': '16.0.14326.20600'},\n { 'channel':'2016 Retail', 'fixed_version': '16.0.14527.20276'},\n { 'channel':'Current', 'fixed_version': '16.0.14527.20276'},\n { 'channel':'2019 Volume', 'fixed_version': '16.0.10380.20037'},\n { 'channel':'2019 Retail', 'fixed_version': '16.0.14527.20276'},\n { 'channel':'LTSC 2021', 'fixed_version': '16.0.14332.20176'},\n { 'channel':'2021 Retail', 'fixed_version': '16.0.14527.20276'}\n];\n\nvcf::microsoft::office_product::check_version_and_report(\n constraints:constraints,\n severity:SECURITY_WARNING,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007246 or cumulative update 5007263. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007246: Windows Server 2008 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007246.NASL", "href": "https://www.tenable.com/plugins/nessus/154983", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154983);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007246\");\n script_xref(name:\"MSKB\", value:\"5007263\");\n script_xref(name:\"MSFT\", value:\"MS21-5007246\");\n script_xref(name:\"MSFT\", value:\"MS21-5007263\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007246: Windows Server 2008 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007246\nor cumulative update 5007263. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007246\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007246 or Cumulative Update KB5007263.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-38666\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007246', '5007263');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007246, 5007263])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:47", "description": "The remote Windows host is missing security update. See Vendor Advisory for KB5007205", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007205: Windows 2022 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007205.NASL", "href": "https://www.tenable.com/plugins/nessus/154994", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154994);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007205\");\n script_xref(name:\"MSFT\", value:\"MS21-5007205\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007205: Windows 2022 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update. See\nVendor Advisory for KB5007205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007205\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007205.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007205');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'20348',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007205])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007233 or cumulative update 5007236. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007233: Windows 7 and Windows Server 2008 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007233.NASL", "href": "https://www.tenable.com/plugins/nessus/154984", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154984);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007233\");\n script_xref(name:\"MSKB\", value:\"5007236\");\n script_xref(name:\"MSFT\", value:\"MS21-5007233\");\n script_xref(name:\"MSFT\", value:\"MS21-5007236\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007233: Windows 7 and Windows Server 2008 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007233\nor cumulative update 5007236. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42285, CVE-2021-42287,\n CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007233\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007233 or Cumulative Update KB5007236.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007233', '5007236');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007233, 5007236])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:47", "description": "The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007206.NASL", "href": "https://www.tenable.com/plugins/nessus/154993", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154993);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007206\");\n script_xref(name:\"MSFT\", value:\"MS21-5007206\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007206\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007206.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007206');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007206])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007186.NASL", "href": "https://www.tenable.com/plugins/nessus/154986", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154986);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42286\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007186\");\n script_xref(name:\"MSFT\", value:\"MS21-5007186\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) \");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007186\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007186.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007186');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19041',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186])\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:54", "description": "The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-40442, CVE-2021-41368)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office Products (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-41368", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:office"], "id": "SMB_NT_MS21_NOV_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/155000", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155000);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-41368\", \"CVE-2021-42292\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5002038\");\n script_xref(name:\"MSKB\", value:\"4486670\");\n script_xref(name:\"MSKB\", value:\"5002035\");\n script_xref(name:\"MSKB\", value:\"5002032\");\n script_xref(name:\"MSFT\", value:\"MS21-5002038\");\n script_xref(name:\"MSFT\", value:\"MS21-4486670\");\n script_xref(name:\"MSFT\", value:\"MS21-5002035\");\n script_xref(name:\"MSFT\", value:\"MS21-5002032\");\n script_xref(name:\"IAVA\", value:\"2021-A-0546-S\");\n\n script_name(english:\"Security Updates for Microsoft Office Products (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and\n execute unauthorized arbitrary commands. (CVE-2021-40442, CVE-2021-41368)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4486670\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002032\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002035\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002038\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB4486670\n -KB5002032\n -KB5002038\n -KB5002035\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\nvar kbs = make_list(\n '4886670',\n '5002032',\n '5002035',\n '5002038'\n);\nvar severity = SECURITY_WARNING;\n\nvar app_info = vcf::microsoft::office::get_app_info(app:'Microsoft Office', kbs:kbs, bulletin:bulletin, severity:severity);\n\nvar constraints = [\n {'product' : 'Microsoft Office 2013 SP1', 'kb':'5002038', 'file':'acecore.dll', 'fixed_version': '15.0.5397.1000'},\n {'product' : 'Microsoft Office 2013 SP1', 'kb':'5002035', 'file':'mso.dll', 'fixed_version': '15.0.5397.1001'},\n {'product' : 'Microsoft Office 2016', 'kb':'4886670', 'file':'mso99lwin32client.dll', 'fixed_version': '16.0.5239.1001'},\n {'product' : 'Microsoft Office 2016', 'kb':'5002032', 'file':'acecore.dll', 'fixed_version': '16.0.5239.1000'}\n];\n\nvcf::microsoft::office::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:severity,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:38", "description": "The remote Windows host is missing security update 5007245 or cumulative update 5007245. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007245: Windows Server 2012 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007245.NASL", "href": "https://www.tenable.com/plugins/nessus/154995", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154995);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007245\");\n script_xref(name:\"MSKB\", value:\"5007260\");\n script_xref(name:\"MSFT\", value:\"MS21-5007245\");\n script_xref(name:\"MSFT\", value:\"MS21-5007260\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007245: Windows Server 2012 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007245\nor cumulative update 5007245. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007245\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007260\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007245 or Cumulative Update 5007260.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = \"MS21-11\";\nvar kbs = make_list('5007245', '5007260');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nvar productname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007245, 5007260])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:54", "description": "An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-27T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Nxtgn PHSA-2021-3.0-0290", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:nxtgn", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2021-3_0-0290_NXTGN.NASL", "href": "https://www.tenable.com/plugins/nessus/152885", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-3.0-0290. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152885);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Photon OS 3.0: Nxtgn PHSA-2021-3.0-0290\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-290.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:nxtgn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nvar flag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-1.1.1l-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-c_rehash-1.1.1l-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-devel-1.1.1l-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-perl-1.1.1l-1.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nxtgn');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:30", "description": "According to the versions of the openssl111d packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : openssl111d (EulerOS-SA-2021-2668)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl111d", "p-cpe:/a:huawei:euleros:openssl111d-devel", "p-cpe:/a:huawei:euleros:openssl111d-libs", "p-cpe:/a:huawei:euleros:openssl111d-static", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2668.NASL", "href": "https://www.tenable.com/plugins/nessus/155287", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155287);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP5 : openssl111d (EulerOS-SA-2021-2668)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl111d packages installed, the EulerOS installation on the remote host is affected\nby the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2668\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b17cd4b1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl111d packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl111d-1.1.1d-2.h11.eulerosv2r7\",\n \"openssl111d-devel-1.1.1d-2.h11.eulerosv2r7\",\n \"openssl111d-libs-1.1.1d-2.h11.eulerosv2r7\",\n \"openssl111d-static-1.1.1d-2.h11.eulerosv2r7\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl111d\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:34", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : openssl (EulerOS-SA-2021-2770)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2021-2770.NASL", "href": "https://www.tenable.com/plugins/nessus/155533", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155533);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : openssl (EulerOS-SA-2021-2770)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2770\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5602d657\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:05", "description": "According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2717)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2717.NASL", "href": "https://www.tenable.com/plugins/nessus/155249", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155249);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2717)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2717\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e9e00996\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:08", "description": "According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is missing the security patch SC-202109.1, therefore affected by multiple vulnerabilities as referenced in the 1.1.1l advisory:\n\n - A heap-based buffer overflow condition exists due to the implementation of the SM2 decryption. An unauthenticated, remote attacker can exploit this, via specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2021-3711)\n\n - An out-of-bounds read error exists in due to improper handling of ASN.1 strings. An unauthenticated, remote attacker can exploit this, via a specially crafted ASN1_STRING structure, to cause a denial of service condition or disclosure of sensitive information. (CVE-2021-3712)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported patching information.", "cvss3": {}, "published": "2021-09-23T00:00:00", "type": "nessus", "title": "Tenable SecurityCenter OpenSSL < 1.1.1l Multiple Vulnerabilities (TNS-2021-16)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-09-24T00:00:00", "cpe": ["cpe:/a:tenable:securitycenter"], "id": "SECURITYCENTER_OPENSSL_1_1_1L_TNS_2021_16.NASL", "href": "https://www.tenable.com/plugins/nessus/153589", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153589);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/24\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n\n script_name(english:\"Tenable SecurityCenter OpenSSL < 1.1.1l Multiple Vulnerabilities (TNS-2021-16)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is missing\nthe security patch SC-202109.1, therefore affected by multiple vulnerabilities as referenced in the 1.1.1l advisory:\n\n - A heap-based buffer overflow condition exists due to the implementation of the SM2 decryption. An\n unauthenticated, remote attacker can exploit this, via specially crafted request, to cause a denial of\n service condition or the execution of arbitrary code. (CVE-2021-3711)\n\n - An out-of-bounds read error exists in due to improper handling of ASN.1 strings. An unauthenticated, remote\n attacker can exploit this, via a specially crafted ASN1_STRING structure, to cause a denial of service\n condition or disclosure of sensitive information. (CVE-2021-3712)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported patching\ninformation.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2021-16\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20210824.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the security patch referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:securitycenter\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"securitycenter_installed.nbin\");\n script_require_ports(\"installed_sw/Tenable SecurityCenter\");\n\n exit(0);\n}\n\ninclude('vcf_extras.inc');\n\nvar patches = make_list('SC-202109.1');\nvar app_info = vcf::tenable_sc::get_app_info();\n\nvcf::tenable_sc::check_for_patch(app_info:app_info, patches:patches);\n\nvar constraints = [\n { 'min_version' : '5.16.0', 'max_version' : '5.19.1', 'fixed_display' : 'Apply Patch SC-202109.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:42", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5051-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-24T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 21.04 : OpenSSL vulnerabilities (USN-5051-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:libssl-dev", "p-cpe:/a:canonical:ubuntu_linux:libssl1.1", "p-cpe:/a:canonical:ubuntu_linux:openssl"], "id": "UBUNTU_USN-5051-1.NASL", "href": "https://www.tenable.com/plugins/nessus/152784", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5051-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152784);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"USN\", value:\"5051-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 21.04 : OpenSSL vulnerabilities (USN-5051-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.04 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-5051-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5051-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libssl-dev, libssl1.1 and / or openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl1.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssl\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04|21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'libssl-dev', 'pkgver': '1.1.1-1ubuntu2.1~18.04.13'},\n {'osver': '18.04', 'pkgname': 'libssl1.1', 'pkgver': '1.1.1-1ubuntu2.1~18.04.13'},\n {'osver': '18.04', 'pkgname': 'openssl', 'pkgver': '1.1.1-1ubuntu2.1~18.04.13'},\n {'osver': '20.04', 'pkgname': 'libssl-dev', 'pkgver': '1.1.1f-1ubuntu2.8'},\n {'osver': '20.04', 'pkgname': 'libssl1.1', 'pkgver': '1.1.1f-1ubuntu2.8'},\n {'osver': '20.04', 'pkgname': 'openssl', 'pkgver': '1.1.1f-1ubuntu2.8'},\n {'osver': '21.04', 'pkgname': 'libssl-dev', 'pkgver': '1.1.1j-1ubuntu3.5'},\n {'osver': '21.04', 'pkgname': 'libssl1.1', 'pkgver': '1.1.1j-1ubuntu3.5'},\n {'osver': '21.04', 'pkgname': 'openssl', 'pkgver': '1.1.1j-1ubuntu3.5'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libssl-dev / libssl1.1 / openssl');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:44", "description": "The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2833-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2021:2833-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel", "p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel-32bit", "p-cpe:/a:novell:suse_linux:libopenssl1_1", "p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit", "p-cpe:/a:novell:suse_linux:openssl-1_1", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-2833-1.NASL", "href": "https://www.tenable.com/plugins/nessus/152808", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:2833-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152808);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:2833-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2021:2833-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:2833-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-August/009346.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b313f12a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED12 / SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-2.36.2', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl-1_1-devel-32bit / libopenssl1_1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:56", "description": "An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-27T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Nxtgn PHSA-2021-2.0-0383", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:nxtgn", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2021-2_0-0383_NXTGN.NASL", "href": "https://www.tenable.com/plugins/nessus/152882", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0383. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152882);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Photon OS 2.0: Nxtgn PHSA-2021-2.0-0383\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-383.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:nxtgn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nvar flag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-1.1.1l-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-c_rehash-1.1.1l-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-devel-1.1.1l-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-perl-1.1.1l-1.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nxtgn');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:54", "description": "The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4963 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-24T00:00:00", "type": "nessus", "title": "Debian DSA-4963-1 : openssl - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libcrypto1.1-udeb", "p-cpe:/a:debian:debian_linux:libssl-dev", "p-cpe:/a:debian:debian_linux:libssl-doc", "p-cpe:/a:debian:debian_linux:libssl1.1", "p-cpe:/a:debian:debian_linux:libssl1.1-udeb", "p-cpe:/a:debian:debian_linux:openssl", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-4963.NASL", "href": "https://www.tenable.com/plugins/nessus/152783", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-4963. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152783);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Debian DSA-4963-1 : openssl - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndsa-4963 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/openssl\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2021/dsa-4963\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3712\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/buster/openssl\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/openssl\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the openssl packages.\n\nFor the stable distribution (bullseye), these problems have been fixed in version 1.1.1k-1+deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcrypto1.1-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl1.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl1.1-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(10)\\.[0-9]+|^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 10.0 / 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'libcrypto1.1-udeb', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl-dev', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl-doc', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl1.1', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl1.1-udeb', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'openssl', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '11.0', 'prefix': 'libcrypto1.1-udeb', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl-dev', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl-doc', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl1.1', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl1.1-udeb', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'openssl', 'reference': '1.1.1k-1+deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libcrypto1.1-udeb / libssl-dev / libssl-doc / libssl1.1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:47", "description": "An update of the openssl package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-07T00:00:00", "type": "nessus", "title": "Photon OS 4.0: Openssl PHSA-2021-4.0-0094", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openssl", "cpe:/o:vmware:photonos:4.0"], "id": "PHOTONOS_PHSA-2021-4_0-0094_OPENSSL.NASL", "href": "https://www.tenable.com/plugins/nessus/153044", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-4.0-0094. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153044);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Photon OS 4.0: Openssl PHSA-2021-4.0-0094\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openssl package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-4.0-94.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:4.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 4\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 4.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nvar flag = 0;\n\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-c_rehash-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-devel-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-docs-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-perl-1.1.1l-1.ph4')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssl');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:12", "description": "According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-02T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : openssl (EulerOS-SA-2021-2639)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-devel", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2639.NASL", "href": "https://www.tenable.com/plugins/nessus/154790", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154790);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP8 : openssl (EulerOS-SA-2021-2639)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2639\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ca17e004\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-devel-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-libs-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-perl-1.1.1-3.h18.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:41", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-04-18T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.10.1 : openssl (EulerOS-SA-2022-1391)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.10.1"], "id": "EULEROS_SA-2022-1391.NASL", "href": "https://www.tenable.com/plugins/nessus/159859", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159859);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n script_xref(name:\"IAVA\", value:\"2022-A-0035\");\n\n script_name(english:\"EulerOS Virtualization 2.10.1 : openssl (EulerOS-SA-2022-1391)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1391\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1e4c41d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.10.1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.10.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.10.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-libs-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-perl-1.1.1f-8.h14.eulerosv2r10\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:57", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-04-18T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.10.0"], "id": "EULEROS_SA-2022-1417.NASL", "href": "https://www.tenable.com/plugins/nessus/159838", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159838);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n script_xref(name:\"IAVA\", value:\"2022-A-0035\");\n\n script_name(english:\"EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1417\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68d1651a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.10.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.10.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.10.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-libs-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-perl-1.1.1f-8.h14.eulerosv2r10\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:47", "description": "The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.0. It is, therefore, affected by multiple vulnerabilities:\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-06T00:00:00", "type": "nessus", "title": "Nessus Network Monitor < 6.0.0 Multiple Vulnerabilities (TNS-2022-02)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/a:tenable:nnm"], "id": "NNM_6_0_0.NASL", "href": "https://www.tenable.com/plugins/nessus/160640", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160640);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n\n script_name(english:\"Nessus Network Monitor < 6.0.0 Multiple Vulnerabilities (TNS-2022-02)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A vulnerability scanner installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.0. It is, therefore, affected\nby multiple vulnerabilities:\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer \n holding the string data and a field holding the buffer length. This contrasts with normal C strings which \n are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict \n requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing \n functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally \n NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly \n construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data \n and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. \n Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array \n will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. \n Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains \n ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, \n then a read buffer overrun can occur. The same thing can also occur during name constraints processing of \n certificates (for example if a certificate has been directly constructed by the application instead of \n loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING\n structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() \n functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then \n process it through one of the affected OpenSSL functions then this issue could be hit. This might result \n in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory \n contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). \n Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\n \n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). \n Typically an application will call this function twice. The first time, on entry, the out parameter can be \n NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted \n plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, \n but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 \n decryption code means that the calculation of the buffer size required to hold the plaintext returned by the\n first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can \n lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer \n that is too small. A malicious attacker who is able present SM2 content for decryption to an application \n could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents \n of other data held after the buffer, possibly changing application behaviour or causing the application to \n crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in \n OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported \n version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2022-02\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Nessus Network Monitor version 6.0.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:nnm\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nnm_installed_win.nbin\", \"nnm_installed_nix.nbin\");\n script_require_keys(\"installed_sw/Tenable NNM\", \"Host/nnm_installed\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'Tenable NNM';\n\nvar app_info = vcf::get_app_info(app:app_name);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'max_version': '5.13.1', 'fixed_version' : '6.0.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:02", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1188-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-26T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:1188-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libopenssl-1_1-devel", "p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1", "p-cpe:/a:novell:opensuse:libopenssl1_1-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit", "p-cpe:/a:novell:opensuse:openssl-1_1", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1188.NASL", "href": "https://www.tenable.com/plugins/nessus/152841", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1188-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152841);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:1188-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:1188-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YXBKWFNVQ5GSDMIZHMMOGHRWWUOWZMJE/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2aa29c89\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'libopenssl-1_1-devel-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-lp152.7.21.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-32bit-1.1.1d-lp152.7.21.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-lp152.7.21.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'openssl-1_1-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl-1_1-devel-32bit / libopenssl1_1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:02", "description": "The OpenSSL project reports :\n\nSM2 Decryption Buffer Overflow (CVE-2021-3711: High)\n\nRead buffer overruns processing ASN.1 strings (CVE-2021-3712 :\nModerate)", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "FreeBSD : OpenSSL -- multiple vulnerabilities (96811d4a-04ec-11ec-9b84-d4c9ef517024)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:openssl", "p-cpe:/a:freebsd:freebsd:openssl-devel", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_96811D4A04EC11EC9B84D4C9EF517024.NASL", "href": "https://www.tenable.com/plugins/nessus/152818", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152818);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"FreeBSD\", value:\"SA-21:16.openssl\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"FreeBSD : OpenSSL -- multiple vulnerabilities (96811d4a-04ec-11ec-9b84-d4c9ef517024)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The OpenSSL project reports :\n\nSM2 Decryption Buffer Overflow (CVE-2021-3711: High)\n\nRead buffer overruns processing ASN.1 strings (CVE-2021-3712 :\nModerate)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20210824.txt\");\n # https://vuxml.freebsd.org/freebsd/96811d4a-04ec-11ec-9b84-d4c9ef517024.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?00e2f428\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"openssl<1.1.1l,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"openssl-devel<3.0.0.b3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:16:37", "description": "According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2692)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2692.NASL", "href": "https://www.tenable.com/plugins/nessus/155238", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155238);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2692)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2692\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c43bb2e9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:46", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.1 : openssl (EulerOS-SA-2021-2733)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.9.1"], "id": "EULEROS_SA-2021-2733.NASL", "href": "https://www.tenable.com/plugins/nessus/155478", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155478);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS Virtualization 2.9.1 : openssl (EulerOS-SA-2021-2733)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2733\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d11351d1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:23", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:2830-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libopenssl-1_1-devel", "p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1", "p-cpe:/a:novell:opensuse:libopenssl1_1-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit", "p-cpe:/a:novell:opensuse:openssl-1_1", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-2830.NASL", "href": "https://www.tenable.com/plugins/nessus/152798", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:2830-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152798);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:2830-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YOUNRN5SCBRRVEIYDG3G3PFLGVRXKDPG/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89577fdb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-11.27.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl-1_1-devel-32bit / libopenssl1_1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:41:40", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-02-12T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.0 : openssl (EulerOS-SA-2022-1088)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-02-12T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-devel", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:3.0.6.0"], "id": "EULEROS_SA-2022-1088.NASL", "href": "https://www.tenable.com/plugins/nessus/157944", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157944);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/12\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : openssl (EulerOS-SA-2022-1088)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1088\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f271cae4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-devel-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-libs-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-perl-1.1.1-3.h18.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:23", "description": "The version of OpenSSL installed on the remote host is prior to 1.1.1l. It is, therefore, affected by a vulnerability as referenced in the 1.1.1l advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-24T00:00:00", "type": "nessus", "title": "OpenSSL 1.1.1 < 1.1.1l Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "OPENSSL_1_1_1L.NASL", "href": "https://www.tenable.com/plugins/nessus/152782", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152782);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"OpenSSL 1.1.1 < 1.1.1l Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of OpenSSL installed on the remote host is prior to 1.1.1l. It is, therefore, affected by a vulnerability as\nreferenced in the 1.1.1l advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0bda7eab\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20210824.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSL version 1.1.1l or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"openssl_version.nasl\");\n script_require_keys(\"openssl/port\");\n\n exit(0);\n}\n\ninclude('openssl_version.inc');\n\nopenssl_check_version(fixed:'1.1.1l', min:'1.1.1', severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:42", "description": "The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2021:2830-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel", "p-cpe:/a:novell:suse_linux:libopenssl1_1", "p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit", "p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac", "p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac-32bit", "p-cpe:/a:novell:suse_linux:openssl-1_1", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-2830-1.NASL", "href": "https://www.tenable.com/plugins/nessus/152800", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:2830-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152800);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:2830-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2021:2830-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-August/009341.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e418e41e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2/3\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl1_1 / libopenssl1_1-32bit / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:53", "description": "The remote Windows host is missing security update 5007255 or cumulative update 5007247. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007255: Windows Server 2012 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007255.NASL", "href": "https://www.tenable.com/plugins/nessus/154996", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154996);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007255\");\n script_xref(name:\"MSKB\", value:\"5007247\");\n script_xref(name:\"MSFT\", value:\"MS21-5007255\");\n script_xref(name:\"MSFT\", value:\"MS21-5007247\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007255: Windows Server 2012 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007255\nor cumulative update 5007247. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007255\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007247\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007255 or Cumulative Update 5007247.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007255', '5007247');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007255, 5007247])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:53", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42321)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_NOV_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/154999", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154999);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\"CVE-2021-41349\", \"CVE-2021-42305\", \"CVE-2021-42321\");\n script_xref(name:\"IAVA\", value:\"2021-A-0543-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5007409\");\n script_xref(name:\"MSFT\", value:\"MS21-5007409\");\n\n script_name(english:\"Security Updates for Exchange (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42321)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007409\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007409 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42321\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange Server ChainedSerializationBinder RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013', \n 'unsupported_cu' : 22, \n 'min_version': '15.0.1497.0', \n 'fixed_version': '15.0.1497.26'\n },\n {\n 'product' : '2016', \n 'unsupported_cu' : 20, \n 'min_version': '15.1.2308.0', \n 'fixed_version': '15.1.2308.20'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 20,\n 'min_version': '15.1.2375.0',\n 'fixed_version': '15.1.2375.17'\n },\n {\n 'product' : '2019', \n 'unsupported_cu' : 9,\n 'min_version': '15.2.922.0',\n 'fixed_version': '15.2.922.19'\n },\n {\n 'product' : '2019', \n 'unsupported' : 9,\n 'min_version': '15.2.986.0',\n 'fixed_version': '15.2.986.14'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report(\n app_info:app_info, \n bulletin:'MS21-11',\n constraints:constraints, \n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:36:08", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42321)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-09T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (November 2021) (Remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_NOV_EXCHANGE_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/155962", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155962);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\"CVE-2021-41349\", \"CVE-2021-42305\", \"CVE-2021-42321\");\n script_xref(name:\"IAVA\", value:\"2021-A-0543-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5007409\");\n script_xref(name:\"MSFT\", value:\"MS21-5007409\");\n\n script_name(english:\"Security Updates for Exchange (November 2021) (Remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42321)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007409\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007409 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42321\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange Server ChainedSerializationBinder RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"exchange_detect.nbin\");\n script_require_keys(\"installed_sw/Exchange Server\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app = 'Exchange Server';\nvar app_info = vcf::get_app_info(app:app, port:port);\n\nif (report_paranoia < 2)\n vcf::check_granularity(app_info:app_info, sig_segments:4);\n\nvar constraints = [\n {'min_version' : '15.0.1497', 'fixed_version':'15.0.1497.26'},\n {'min_version' : '15.1.2375', 'fixed_version':'15.1.2375.17'},\n {'min_version' : '15.1.2308', 'fixed_version':'15.1.2308.20'},\n {'min_version' : '15.2.986', 'fixed_version':'15.2.986.14'},\n {'min_version' : '15.2.922', 'fixed_version':'15.2.922.19'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007192.NASL", "href": "https://www.tenable.com/plugins/nessus/154990", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154990);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007192\");\n script_xref(name:\"MSFT\", value:\"MS21-5007192\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007192\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007192.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007192');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'14393',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007192])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:18", "description": "The version of MySQL running on the remote host is 5.7.x prior to 5.7.36. It is, therefore, affected by multiple vulnerabilities, including the following, as noted in the October 2021 Critical Patch Update advisory:\n\n - A vulnerability in the OpenSSL component that can result in a takeover of the MySQL server.\n (CVE-2021-3711)\n\n - An easily exploitable vulnerability in the InnoDB component that allows a high privileged attacker to affect the integrity and availability of the MySQL Server. (CVE-2021-35604)\n\n - An easily exploitable vulnerability in the cURL component that allows an unauthenticated, remote attacker to affect the availability of the MySQL Server. (CVE-2021-22926)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-20T00:00:00", "type": "nessus", "title": "MySQL 5.7.x < 5.7.36 Multiple Vulnerabilities (Oct 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22926", "CVE-2021-35604", "CVE-2021-35624", "CVE-2021-3711"], "modified": "2021-10-22T00:00:00", "cpe": ["cpe:/a:oracle:mysql"], "id": "MYSQL_5_7_36.NASL", "href": "https://www.tenable.com/plugins/nessus/154259", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154259);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/22\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-22926\",\n \"CVE-2021-35604\",\n \"CVE-2021-35624\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n\n script_name(english:\"MySQL 5.7.x < 5.7.36 Multiple Vulnerabilities (Oct 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MySQL running on the remote host is 5.7.x prior to 5.7.36. It is, therefore, affected by multiple\nvulnerabilities, including the following, as noted in the October 2021 Critical Patch Update advisory:\n\n - A vulnerability in the OpenSSL component that can result in a takeover of the MySQL server.\n (CVE-2021-3711)\n\n - An easily exploitable vulnerability in the InnoDB component that allows a high privileged attacker to\n affect the integrity and availability of the MySQL Server. (CVE-2021-35604)\n\n - An easily exploitable vulnerability in the cURL component that allows an unauthenticated, remote attacker\n to affect the availability of the MySQL Server. (CVE-2021-22926)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixMSQL\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuoct2021cvrf.xml\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL version 5.7.36 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\", \"mysql_version_local.nasl\", \"mysql_win_installed.nbin\", \"macosx_mysql_installed.nbin\");\n script_require_keys(\"installed_sw/MySQL Server\");\n\n exit(0);\n}\n\ninclude('vcf_extras_mysql.inc');\n\nvar app_info = vcf::mysql::combined_get_app_info();\n\nvar constraints = [{ 'min_version' : '5.7.0', 'fixed_version' : '5.7.36'}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:58", "description": "The remote host is affected by the vulnerability described in GLSA-202209-02 (IBM Spectrum Protect: Multiple Vulnerabilities)\n\n - IBM Spectrum Protect Client 8.1.0.0-8 through 1.11.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when processing the current locale settings. A local attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash. IBM X-Force ID: 199479 (CVE-2021-29672)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\n - IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could exploit this vulnerability and cause a denial of service. IBM X-Force ID: 214438. (CVE-2021-39048)\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-07T00:00:00", "type": "nessus", "title": "GLSA-202209-02 : IBM Spectrum Protect: Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29672", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-39048", "CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-09-07T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:tsm", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202209-02.NASL", "href": "https://www.tenable.com/plugins/nessus/164805", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202209-02.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike\n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164805);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/07\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-3712\",\n \"CVE-2021-4104\",\n \"CVE-2021-29672\",\n \"CVE-2021-39048\"\n );\n\n script_name(english:\"GLSA-202209-02 : IBM Spectrum Protect: Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-202209-02 (IBM Spectrum Protect: Multiple\nVulnerabilities)\n\n - IBM Spectrum Protect Client 8.1.0.0-8 through 1.11.0 is vulnerable to a stack-based buffer overflow,\n caused by improper bounds checking when processing the current locale settings. A local attacker could\n overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the\n application to crash. IBM X-Force ID: 199479 (CVE-2021-29672)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\n - IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper\n bounds checking. A local attacker could exploit this vulnerability and cause a denial of service. IBM\n X-Force ID: 214438. (CVE-2021-39048)\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/202209-02\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=788115\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=829189\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=831509\");\n script_set_attribute(attribute:\"solution\", value:\n\"All IBM Spectrum Protect users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=app-backup/tsm-8.1.13.3\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tsm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar flag = 0;\n\nvar packages = [\n {\n 'name' : \"app-backup/tsm\",\n 'unaffected' : make_list(\"ge 8.1.13.3\", \"lt 8.0.0\"),\n 'vulnerable' : make_list(\"lt 8.1.13.3\")\n }\n];\n\nforeach package( packages ) {\n if (isnull(package['unaffected'])) package['unaffected'] = make_list();\n if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();\n if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;\n}\n\n# This plugin has a different number of unaffected and vulnerable versions for\n# one or more packages. To ensure proper detection, a separate line should be \n# used for each fixed/vulnerable version pair.\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : qpkg_report_get()\n );\n exit(0);\n}\nelse\n{\n qpkg_tests = list_uniq(qpkg_tests);\n var tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"IBM Spectrum Protect\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:52", "description": "The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.1. It is, therefore, affected by multiple vulnerabilities in third-party software.\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-16T00:00:00", "type": "nessus", "title": "Nessus Network Monitor < 6.0.1 Multiple Vulnerabilities (TNS-2022-10)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-4160", "CVE-2022-0778"], "modified": "2022-06-03T00:00:00", "cpe": ["cpe:/a:tenable:nnm"], "id": "NNM_6_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/161211", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161211);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/03\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-3712\",\n \"CVE-2021-4160\",\n \"CVE-2021-41182\",\n \"CVE-2021-41183\",\n \"CVE-2021-41184\",\n \"CVE-2022-0778\"\n );\n\n script_name(english:\"Nessus Network Monitor < 6.0.1 Multiple Vulnerabilities (TNS-2022-10)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A vulnerability scanner installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.1. It is, therefore, affected\nby multiple vulnerabilities in third-party software.\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported \n version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2022-10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Nessus Network Monitor version 6.0.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:nnm\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nnm_installed_win.nbin\", \"nnm_installed_nix.nbin\");\n script_require_keys(\"installed_sw/Tenable NNM\", \"Host/nnm_installed\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'Tenable NNM';\n\nvar app_info = vcf::get_app_info(app:app_name);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'fixed_version' : '6.0.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:36:04", "description": "The remote host is affected by the vulnerability described in GLSA-202210-02 (OpenSSL: Multiple Vulnerabilities)\n\n - The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites.\n This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v). (CVE-2020-1968)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\n - There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc- dev (Affected 1.0.2-1.0.2zb). (CVE-2021-4160)\n\n - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self- signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)\n\n - The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.\n Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).\n Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)\n\n - The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service.\n Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). (CVE-2022-1473)\n\n - AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of in place encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p). (CVE-2022-2097)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-16T00:00:00", "type": "nessus", "title": "GLSA-202210-02 : OpenSSL: Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0701", "CVE-2020-1968", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-4160", "CVE-2022-0778", "CVE-2022-1292", "CVE-2022-1473", "CVE-2022-2097"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:openssl", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202210-02.NASL", "href": "https://www.tenable.com/plugins/nessus/166162", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202210-02.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike\n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166162);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-1968\",\n \"CVE-2021-3711\",\n \"CVE-2021-3712\",\n \"CVE-2021-4160\",\n \"CVE-2022-0778\",\n \"CVE-2022-1292\",\n \"CVE-2022-1473\",\n \"CVE-2022-2097\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"GLSA-202210-02 : OpenSSL: Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-202210-02 (OpenSSL: Multiple Vulnerabilities)\n\n - The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to\n compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In\n such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent\n over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across\n multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites.\n This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL\n 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v). (CVE-2020-1968)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\n - There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are\n affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the\n pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that\n attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not\n believed likely. Attacks against DH are considered just feasible (although very difficult) because most of\n the work necessary to deduce information about a private key may be performed offline. The amount of\n resources required for such an attack would be significant. However, for an attack on TLS to be\n meaningful, the server would have to share the DH private key among multiple clients, which is no longer\n an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was\n addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is\n addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made\n available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in\n OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-\n dev (Affected 1.0.2-1.0.2zb). (CVE-2021-4160)\n\n - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop\n forever for non-prime moduli. Internally this function is used when parsing certificates that contain\n elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point\n encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has\n invalid explicit curve parameters. Since certificate parsing happens prior to verification of the\n certificate signature, any process that parses an externally supplied certificate may thus be subject to a\n denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they\n can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients\n consuming server certificates - TLS servers consuming client certificates - Hosting providers taking\n certificates or private keys from customers - Certificate authorities parsing certification requests from\n subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that\n use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS\n issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate\n which makes it slightly harder to trigger the infinite loop. However any operation which requires the\n public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-\n signed certificate to trigger the loop during verification of the certificate signature. This issue\n affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the\n 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected\n 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)\n\n - The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This\n script is distributed by some operating systems in a manner where it is automatically executed. On such\n operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of\n the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.\n Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).\n Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)\n\n - The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the\n memory occuppied by the removed hash table entries. This function is used when decoding certificates or\n keys. If a long lived process periodically decodes certificates or keys its memory usage will expand\n without bounds and the process might be terminated by the operating system causing a denial of service.\n Also traversing the empty hash table entries will take increasingly more time. Typically such long lived\n processes might be TLS clients or TLS servers configured to accept client certificate authentication. The\n function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in\n OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). (CVE-2022-1473)\n\n - AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt\n the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was\n preexisting in the memory that wasn't written. In the special case of in place encryption, sixteen bytes\n of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and\n DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q\n (Affected 1.1.1-1.1.1p). (CVE-2022-2097)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/202210-02\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=741570\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=809980\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=832339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=835343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=842489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=856592\");\n script_set_attribute(attribute:\"solution\", value:\n\"All OpenSSL users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=dev-libs/openssl-1.1.1q\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar flag = 0;\n\nvar packages = [\n {\n 'name' : \"dev-libs/openssl\",\n 'unaffected' : make_list(\"ge 1.1.1q\", \"lt 1.0.0\"),\n 'vulnerable' : make_list(\"lt 1.1.1q\")\n }\n];\n\nforeach package( packages ) {\n if (isnull(package['unaffected'])) package['unaffected'] = make_list();\n if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();\n if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;\n}\n\n# This plugin has a different number of unaffected and vulnerable versions for\n# one or more packages. To ensure proper detection, a separate line should be \n# used for each fixed/vulnerable version pair.\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : qpkg_report_get()\n );\n exit(0);\n}\nelse\n{\n qpkg_tests = list_uniq(qpkg_tests);\n var tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenSSL\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:36:31", "description": "The version of IBM Cognos Analytics installed on the remote host is affected by multiple vulnerabilities, including the following:\n\n - OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the EVP_PKEY_decrypt() function within implementation of the SM2 decryption. By sending specially crafted SM2 content, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. (CVE-2021-3711)\n\n - Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.\n (CVE-2021-43138)\n\n - Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing 'dot dot' sequences (/../) to view arbitrary files on the system.\n (CVE-2021-29425)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-27T00:00:00", "type": "nessus", "title": "IBM Cognos Analytics Multiple Vulnerabilities (6828527)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29425", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-3733", "CVE-2021-3737", "CVE-2021-4160", "CVE-2021-43138", "CVE-2022-0391", "CVE-2022-24758", "CVE-2022-34339"], "modified": "2023-01-05T00:00:00", "cpe": ["cpe:/a:ibm:cognos_analytics"], "id": "IBM_COGNOS_6828527.NASL", "href": "https://www.tenable.com/plugins/nessus/166606", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166606);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/05\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-3712\",\n \"CVE-2021-3733\",\n \"CVE-2021-3737\",\n \"CVE-2021-4160\",\n \"CVE-2021-29425\",\n \"CVE-2021-43138\",\n \"CVE-2022-0391\",\n \"CVE-2022-24758\",\n \"CVE-2022-34339\"\n );\n script_xref(name:\"IAVB\", value:\"2022-B-0041-S\");\n\n script_name(english:\"IBM Cognos Analytics Multiple Vulnerabilities (6828527)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM Cognos Analytics installed on the remote host is affected by multiple vulnerabilities, including the\nfollowing:\n\n - OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the EVP_PKEY_decrypt()\n function within implementation of the SM2 decryption. By sending specially crafted SM2 content, a remote\n attacker could overflow a buffer and execute arbitrary code on the system or cause the application to\n crash. (CVE-2021-3711)\n\n - Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution\n in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could\n exploit this vulnerability to execute arbitrary code on the system.\n (CVE-2021-43138)\n\n - Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper\n input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL\n request containing 'dot dot' sequences (/../) to view arbitrary files on the system.\n (CVE-2021-29425)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/6828527\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM Cognos Analytics 11.1.7 FP6, 11.2.3, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:cognos_analytics\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_cognos_analytics_web_detect.nbin\");\n script_require_keys(\"installed_sw/IBM Cognos Analytics\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app = 'IBM Cognos Analytics';\n\nvar port = get_http_port(default:443);\n\nvar app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\n# Remote detection cannot determine fix pack\nif (app_info.version =~ \"^11\\.1\\.7($|[^0-9])\" && report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, app_info['version'], app);\n\nvar constraints = [\n { 'min_version':'11.1', 'fixed_version':'11.1.8', 'fixed_display':'11.1.7 FP6' },\n { 'min_version':'11.2', 'fixed_version':'11.2.3' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:41:47", "description": "The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4437-1 advisory.\n\n - ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation. (CVE-2021-36222)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex:\n {{constructor.constructor(alert(1)')()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.\n (CVE-2021-41174)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions when the fine- grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users' roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. (CVE-2021-41244)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files.\n The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline. (CVE-2021-43798)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text. (CVE-2021-43813)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. (CVE-2021-43815)\n\n - Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn't call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds. (CVE-2022-29170)\n\n - Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.\n (CVE-2022-31097)\n\n - Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.\n (CVE-2022-31107)\n\n - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at:\n https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth- proxy/ (CVE-2022-35957)\n\n - Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.\n (CVE-2022-36062)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-20T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2022:4437-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-36222", "CVE-2021-3711", "CVE-2021-41174", "CVE-2021-41244", "CVE-2021-43798", "CVE-2021-43813", "CVE-2021-43815", "CVE-2022-29170", "CVE-2022-31097", "CVE-2022-31107", "CVE-2022-35957", "CVE-2022-36062"], "modified": "2023-02-08T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2022-4437-1.NASL", "href": "https://www.tenable.com/plugins/nessus/170209", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:4437-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170209);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/08\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-36222\",\n \"CVE-2021-41174\",\n \"CVE-2021-41244\",\n \"CVE-2021-43798\",\n \"CVE-2021-43813\",\n \"CVE-2021-43815\",\n \"CVE-2022-29170\",\n \"CVE-2022-31097\",\n \"CVE-2022-31107\",\n \"CVE-2022-35957\",\n \"CVE-2022-36062\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:4437-1\");\n\n script_name(english:\"openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2022:4437-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nSUSE-SU-2022:4437-1 advisory.\n\n - ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before\n 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon\n crash. This occurs because a return value is not properly managed in a certain situation. (CVE-2021-36222)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker\n is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content\n may be executed within the context of the victim's browser. The user visiting the malicious link must be\n unauthenticated and the link must be for a page that contains the login button in the menu bar. The url\n has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS\n expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex:\n {{constructor.constructor(alert(1)')()}}. When the user follows the link and the page renders, the login\n button will contain the original link with a query parameter to force a redirect to the login page. The\n URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained\n in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you\n can use a reverse proxy or similar to block access to block the literal string {{ in the path.\n (CVE-2021-41174)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-\n grained access control beta feature is enabled and there is more than one organization in the Grafana\n instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism\n which allowed users with the Organization Admin role to list, add, remove, and update users' roles in\n other organizations in which they are not an admin. With fine-grained access control enabled, organization\n admins can list, add, remove and update users' roles in another organization, where they do not have\n organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control\n beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade,\n you should turn off the fine-grained access control using a feature flag. (CVE-2021-41244)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through\n 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files.\n The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any\n installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched\n versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about\n vulnerable URL paths, mitigation, and the disclosure timeline. (CVE-2021-43798)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and\n 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The\n vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated\n users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to\n patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of\n Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to\n also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files,\n users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help\n text. (CVE-2021-43813)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and\n 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the\n developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited\n in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana\n Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for\n this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front\n of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to\n also be able to handle url encoded paths. (CVE-2021-43815)\n\n - Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request\n security feature allows list allows to configure Grafana in a way so that the instance doesn't call or\n only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to\n versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource\n (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts\n Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom\n datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the\n redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this\n vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known\n workarounds. (CVE-2022-29170)\n\n - Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch\n prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified\n Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor\n to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10\n contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.\n (CVE-2022-31097)\n\n - Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9,\n 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana\n instance via a configured OAuth IdP which provides a login name to take over the account of another user\n in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via\n OAuth, the malicious user's external user id is not already associated with an account in Grafana, the\n malicious user's email address is not already associated with an account in Grafana, and the malicious\n user knows the Grafana username of the target user. If these conditions are met, the malicious user can\n set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log\n in to Grafana. Due to the way that external and internal user accounts are linked together during login,\n if the conditions above are all met then the malicious user will be able to log in to the target user's\n Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a\n workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users\n authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.\n (CVE-2022-31107)\n\n - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13\n are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to\n take over the server admin account and gain full control of the grafana instance. All installations should\n be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at:\n https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-\n proxy/ (CVE-2022-35957)\n\n - Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9,\n and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on\n some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where\n RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder\n permissions to RBAC permissions do not account for the scenario where the only user permission in the\n folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and\n view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround\n when the impacted folder/dashboard is known is to remove the additional permissions manually.\n (CVE-2022-36062)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188571\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192763\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193492\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201535\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201539\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202945\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203283\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203596\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203597\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203599\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-December/013220.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5e28b3be\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-36222\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-41174\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-41244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-43798\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-43813\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-43815\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-29170\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-31097\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-31107\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-35957\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36062\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^SUSE\") audit(AUDIT_OS_NOT, \"openSUSE\");\nvar os_ver = pregmatch(pattern: \"^(SUSE[\\d.]+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SUSE15\\.3|SUSE15\\.4)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'openSUSE 15', 'openSUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE (' + os_ver + ')', cpu);\n\nvar pkgs = [\n {'reference':'dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.3']},\n {'reference':'golang-github-boynux-squid_exporter-1.6-150000.1.9.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.3']},\n {'reference':'golang-github-prometheus-promu-0.13.0-150000.3.9.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.3']},\n {'reference':'spacecmd-4.3.16-150000.3.89.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.3']},\n {'reference':'dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'golang-github-boynux-squid_exporter-1.6-150000.1.9.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'golang-github-prometheus-promu-0.13.0-150000.3.9.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'prometheus-blackbox_exporter-0.19.0-150000.1.14.3', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'spacecmd-4.3.16-150000.3.89.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'wire-0.5.0-150000.1.9.3', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dracut-saltboot / golang-github-boynux-squid_exporter / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:42:26", "description": "The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:1396-1 advisory.\n\n - ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation. (CVE-2021-36222)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot public_mode configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot public_mode setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths:\n /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key.\n They have no normal function and can be disabled without side effects. (CVE-2021-39226)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex:\n {{constructor.constructor(alert(1)')()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.\n (CVE-2021-41174)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions when the fine- grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users' roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag. (CVE-2021-41244)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files.\n The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline. (CVE-2021-43798)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text. (CVE-2021-43813)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. (CVE-2021-43815)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.\n This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4. (CVE-2022-21673)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability. (CVE-2022-21702)\n\n - Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins).\n An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. (CVE-2022-21703)\n\n - Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.\n Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.\n (CVE-2022-21713)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-20T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2022:1396-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-36222", "CVE-2021-3711", "CVE-2021-39226", "CVE-2021-41174", "CVE-2021-41244", "CVE-2021-43798", "CVE-2021-43813", "CVE-2021-43815", "CVE-2022-21673", "CVE-2022-21702", "CVE-2022-21703", "CVE-2022-21713"], "modified": "2023-02-08T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2022-1396-1.NASL", "href": "https://www.tenable.com/plugins/nessus/170214", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:1396-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170214);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/08\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-36222\",\n \"CVE-2021-39226\",\n \"CVE-2021-41174\",\n \"CVE-2021-41244\",\n \"CVE-2021-43798\",\n \"CVE-2021-43813\",\n \"CVE-2021-43815\",\n \"CVE-2022-21673\",\n \"CVE-2022-21702\",\n \"CVE-2022-21703\",\n \"CVE-2022-21713\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:1396-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2022:1396-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nSUSE-SU-2022:1396-1 advisory.\n\n - ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before\n 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon\n crash. This occurs because a return value is not properly managed in a certain situation. (CVE-2021-36222)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - Grafana is an open source data visualization platform. In affected versions unauthenticated and\n authenticated users are able to view the snapshot with the lowest database key by accessing the literal\n paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot public_mode configuration\n setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with\n the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the\n snapshot public_mode setting, authenticated users are able to delete the snapshot with the lowest\n database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The\n combination of deletion and viewing enables a complete walk through all snapshot data while resulting in\n complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason\n you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths:\n /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key.\n They have no normal function and can be disabled without side effects. (CVE-2021-39226)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker\n is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content\n may be executed within the context of the victim's browser. The user visiting the malicious link must be\n unauthenticated and the link must be for a page that contains the login button in the menu bar. The url\n has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS\n expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex:\n {{constructor.constructor(alert(1)')()}}. When the user follows the link and the page renders, the login\n button will contain the original link with a query parameter to force a redirect to the login page. The\n URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained\n in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you\n can use a reverse proxy or similar to block access to block the literal string {{ in the path.\n (CVE-2021-41174)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-\n grained access control beta feature is enabled and there is more than one organization in the Grafana\n instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism\n which allowed users with the Organization Admin role to list, add, remove, and update users' roles in\n other organizations in which they are not an admin. With fine-grained access control enabled, organization\n admins can list, add, remove and update users' roles in another organization, where they do not have\n organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control\n beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade,\n you should turn off the fine-grained access control using a feature flag. (CVE-2021-41244)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through\n 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files.\n The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any\n installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched\n versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about\n vulnerable URL paths, mitigation, and the disclosure timeline. (CVE-2021-43798)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and\n 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The\n vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated\n users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to\n patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of\n Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to\n also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files,\n users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help\n text. (CVE-2021-43813)\n\n - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and\n 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the\n developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited\n in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana\n Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for\n this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front\n of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to\n also be able to handle url encoded paths. (CVE-2021-43815)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions when a data\n source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API\n token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.\n This can allow API token holders to retrieve data for which they may not have intended access. This attack\n relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the\n Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana\n instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been\n patched in versions 7.5.13 and 8.3.4. (CVE-2022-21673)\n\n - Grafana is an open-source platform for monitoring and observability. In affected versions an attacker\n could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML\n page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could\n either compromise an existing datasource for a specific Grafana instance or either set up its own public\n service and instruct anyone to set it up in their Grafana instance.
Microsoft’s Patch Tuesday Security Updates for November
