Lucene search
+L

Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2025-1359)

🗓️ 08 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 10 Views

Amazon Linux 2023 amazon-ssm-agent has CVEs: memory exhaustion, web address parsing issues.

Related
Refs
Code
ReporterTitlePublishedViews
Family
OSV
CGA-547W-HC4J-65CM
14 Jun 202515:22
osv
OSV
CGA-549M-X228-FRXQ
3 Nov 202510:52
osv
OSV
CGA-54W8-5CXP-7F43
14 Jun 202519:29
osv
OSV
CGA-54XC-2WGR-H88M
8 Dec 202516:59
osv
OSV
CGA-55FC-PRQF-QQ54
14 Jun 202513:47
osv
OSV
CGA-55H7-M735-X7VX
14 Jun 202522:43
osv
OSV
CGA-55J8-5XH7-M6WV
3 Nov 202513:41
osv
OSV
CGA-5625-8P34-9MW5
8 Dec 202509:21
osv
OSV
CGA-5676-Q97V-3VX9
15 Jun 202504:42
osv
OSV
CGA-56QG-VPJ6-RVQH
14 Jun 202516:29
osv
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2023 Security Advisory ALAS2023-2025-1359.
##

include('compat.inc');

if (description)
{
  script_id(282386);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/24");

  script_cve_id(
    "CVE-2025-4673",
    "CVE-2025-8556",
    "CVE-2025-22874",
    "CVE-2025-47912",
    "CVE-2025-58183",
    "CVE-2025-58185",
    "CVE-2025-58186",
    "CVE-2025-58187",
    "CVE-2025-58188",
    "CVE-2025-58189",
    "CVE-2025-61723",
    "CVE-2025-61724",
    "CVE-2025-61725",
    "CVE-2025-61727",
    "CVE-2025-61729"
  );
  script_xref(name:"IAVB", value:"2025-B-0103-S");
  script_xref(name:"IAVB", value:"2025-B-0177-S");
  script_xref(name:"IAVB", value:"2025-B-0194-S");

  script_name(english:"Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2025-1359)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2023 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1359 advisory.

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy
    validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
    (CVE-2025-22874)

    Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking
    sensitive information. (CVE-2025-4673)

    net/url: insufficient validation of bracketed IPv6 hostnames

    The Parse function permitted values other than IPv6 addresses to be included in square brackets within the
    host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component,
    enclosed within square brackets. For example: http://[::1]/. IPv4 addresses and hostnames must not
    appear within square brackets. Parse did not enforce this requirement. (CVE-2025-47912)

    archive/tar: unbounded allocation when parsing GNU sparse map

    tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse
    files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to
    read an unbounded amount of data from the archive into memory. When reading from a compressed source, a
    small compressed input could result in large allocations. (CVE-2025-58183)

    encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion

    When parsing DER payloads, memories were being allocated prior to fully validating the payloads.This
    permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as
    asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse. (CVE-2025-58185)

    net/http: lack of limit when parsing cookies can cause memory exhaustion

    Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have
    a limit.By sending a lot of very small cookies such as a=;, an attacker can make an HTTP server allocate
    a large amount of structs, causing large memory consumption.

    net/http now limits the number of cookies accepted to 3000, which can be adjusted using the
    httpcookiemaxnum GODEBUG option. (CVE-2025-58186)

    crypto/x509: quadratic complexity when checking name constraints

    Due to the design of the name constraint checking algorithm, the processing timeof some inputs scales non-
    linearly with respect to the size of the certificate.

    This affects programs which validate arbitrary certificate chains. (CVE-2025-58187)

    crypto/x509: panic when validating certificates with DSA public keys

    Validating certificate chains which contain DSA public keys can cause programsto panic, due to a interface
    cast that assumes they implement the Equal method.

    This affects programs which validate arbitrary certificate chains. (CVE-2025-58188)

    crypto/tls: ALPN negotiation errors can contain arbitrary text

    The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which
    can contain arbitrary attacker controlled information provided by the client-side of the connection which
    is not escaped.

    This affects programs which log these errors without any additional form of sanitization, and may allow
    injection of attacker controlled information into logs. (CVE-2025-58189)

    encoding/pem: quadratic complexity when parsing some invalid inputs

    Due to the design of the PEM parsing function, the processing time for someinputs scales non-linearly with
    respect to the size of the input.

    This affects programs which parse untrusted PEM inputs. (CVE-2025-61723)

    net/textproto: excessive CPU consumption in Reader.ReadResponse

    The Reader.ReadResponse function constructed a response string throughrepeated string concatenation of
    lines. When the number of lines in a response is large,this could cause excessive CPU consumption.
    (CVE-2025-61724)

    net/mail: excessive CPU consumption in ParseAddress

    The ParseAddress function constructed domain-literal address components through repeated string
    concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.
    (CVE-2025-61725)

    crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

    An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in
    the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not
    prevent a leaf certificate from claiming the SAN *.example.com. (CVE-2025-61727)

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts
    that will be printed out. Furthermore, the error string is constructed by repeated string concatenation,
    leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in
    excessive resource consumption. (CVE-2025-61729)

    A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an
    attacker to compromise session security via low-order point injection and incorrect point validation
    during Diffie-Hellman key exchange. (CVE-2025-8556)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2023/ALAS2023-2025-1359.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-22874.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-4673.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-47912.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-58183.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-58185.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-58186.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-58187.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-58188.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-58189.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-61723.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-61724.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-61725.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-61727.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-61729.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-8556.html");
  script_set_attribute(attribute:"solution", value:
"Run 'dnf update amazon-ssm-agent --releasever 2023.10.20260105' or
  or 'dnf update --advisory ALAS2023-2025-1359 --releasever 2023.10.20260105' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-47912");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-22874");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:amazon-ssm-agent");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2023");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "-2023")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2023", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'amazon-ssm-agent-3.3.3572.0-1.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'amazon-ssm-agent-3.3.3572.0-1.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "amazon-ssm-agent");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation