Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.AL2_ALAS-2024-2483.NASL
HistoryMar 05, 2024 - 12:00 a.m.

Amazon Linux 2 : edk2 (ALAS-2024-2483)

2024-03-0500:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
dhcpv6 advertise
buffer overflow
neighbor discovery redirect
infinite loop
dns servers
server id
pkcs12
denial of service
openssl

8.8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.4%

JSON

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2483 advisory.

  • EDK2’s Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. (CVE-2023-45229)

  • EDK2’s Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45230)

  • EDK2’s Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. (CVE-2023-45231)

  • EDK2’s Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. (CVE-2023-45232)

  • EDK2’s Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. (CVE-2023-45233)

  • EDK2’s Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
    (CVE-2023-45234)

  • EDK2’s Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
    (CVE-2023-45235)

  • Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are:
    PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. (CVE-2024-0727)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2024-2483.
##

include('compat.inc');

if (description)
{
  script_id(191527);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/05");

  script_cve_id(
    "CVE-2023-45229",
    "CVE-2023-45230",
    "CVE-2023-45231",
    "CVE-2023-45232",
    "CVE-2023-45233",
    "CVE-2023-45234",
    "CVE-2023-45235",
    "CVE-2024-0727"
  );

  script_name(english:"Amazon Linux 2 : edk2 (ALAS-2024-2483)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2483 advisory.

  - EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or
    IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain
    unauthorized access and potentially lead to a loss of Confidentiality. (CVE-2023-45229)

  - EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in
    DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and
    potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45230)

  - EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor
    Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access
    and potentially lead to a loss of Confidentiality. (CVE-2023-45231)

  - EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in
    the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain
    unauthorized access and potentially lead to a loss of Availability. (CVE-2023-45232)

  - EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the
    Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain
    unauthorized access and potentially lead to a loss of Availability. (CVE-2023-45233)

  - EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers
    option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain
    unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
    (CVE-2023-45234)

  - EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option
    from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain
    unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
    (CVE-2023-45235)

  - Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a
    potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from
    untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and
    may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL
    does not correctly check for this case. This can lead to a NULL pointer dereference that results in
    OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs
    then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are:
    PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and
    PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function
    is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and
    3.0 are not affected by this issue. (CVE-2024-0727)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2024-2483.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-45229.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-45230.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-45231.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-45232.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-45233.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-45234.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-45235.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2024-0727.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update edk2' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-45235");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/11/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/02/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:edk2-aarch64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:edk2-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:edk2-ovmf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:edk2-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:edk2-tools-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:edk2-tools-python");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'edk2-aarch64-20200801stable-1.amzn2.0.4', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'edk2-debuginfo-20200801stable-1.amzn2.0.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'edk2-debuginfo-20200801stable-1.amzn2.0.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'edk2-ovmf-20200801stable-1.amzn2.0.4', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'edk2-tools-20200801stable-1.amzn2.0.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'edk2-tools-20200801stable-1.amzn2.0.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'edk2-tools-doc-20200801stable-1.amzn2.0.4', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'edk2-tools-python-20200801stable-1.amzn2.0.4', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "edk2-aarch64 / edk2-debuginfo / edk2-ovmf / etc");
}
VendorProductVersionCPE
amazonlinuxedk2-aarch64p-cpe:/a:amazon:linux:edk2-aarch64
amazonlinuxedk2-debuginfop-cpe:/a:amazon:linux:edk2-debuginfo
amazonlinuxedk2-ovmfp-cpe:/a:amazon:linux:edk2-ovmf
amazonlinuxedk2-toolsp-cpe:/a:amazon:linux:edk2-tools
amazonlinuxedk2-tools-docp-cpe:/a:amazon:linux:edk2-tools-doc
amazonlinuxedk2-tools-pythonp-cpe:/a:amazon:linux:edk2-tools-python
amazonlinux2cpe:/o:amazon:linux:2

References

Related

amazon 2
osv 18
thn 1
oraclelinux 9
nessus 48
openvas 19
cert 1
debian 1
ubuntu 1
almalinux 4
redhat 12
redos 1
fedora 1
rocky 2
ubuntucve 7
cbl_mariner 16
alpinelinux 7
prion 8
cve 7
debiancve 8
nvd 7
cvelist 7
redhatcve 7
github 1
f5 1
ibm 2
cgr 1
amazon
amazon
Important: edk2
2024-02-29 10:03:00
Low: openssl11
2024-02-29 10:03:00
osv
osv
CVE-2023-45229
2024-01-16 16:15:11
CVE-2023-45235
2024-01-16 16:15:12
CVE-2023-45233
2024-01-16 16:15:12
thn
thn
PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft
2024-01-18 09:19:00
oraclelinux
oraclelinux
edk2 security update
2024-06-04 00:00:00
edk2 security update
2024-06-03 00:00:00
edk2 security update
2024-04-24 00:00:00
nessus
nessus
Oracle Linux 8 : edk2 (ELSA-2024-20865)
2024-04-25 00:00:00
Oracle Linux 8 : edk2 (ELSA-2024-12343)
2024-04-25 00:00:00
Oracle Linux 9 : edk2 (ELSA-2024-12409)
2024-06-04 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for edk2 (EulerOS-SA-2024-1722)
2024-05-30 00:00:00
Huawei EulerOS: Security Advisory for edk2 (EulerOS-SA-2024-1733)
2024-05-30 00:00:00
Ubuntu: Security Advisory (USN-6638-1)
2024-02-15 00:00:00
cert
cert
Vulnerabilities in EDK2 NetworkPkg IP stack implementation.
2024-01-16 00:00:00
debian
debian
[SECURITY] [DSA 5624-1] edk2 security update
2024-02-14 20:00:57
ubuntu
ubuntu
EDK II vulnerabilities
2024-02-15 00:00:00
almalinux
almalinux
Important: edk2 security update
2024-05-22 00:00:00
Important: edk2 security update
2024-04-30 00:00:00
Important: edk2 security update
2024-03-04 00:00:00
redhat
redhat
(RHSA-2024:3017) Important: edk2 security update
2024-05-22 06:35:22
(RHSA-2024:2264) Important: edk2 security update
2024-04-30 06:15:12
(RHSA-2024:1063) Important: edk2 security update
2024-03-04 01:48:38
redos
redos
ROS-20240625-06
2024-06-25 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: edk2-20240214-2.fc39
2024-03-13 01:25:14
rocky
rocky
edk2 security update
2024-05-10 14:32:38
edk2 security update
2024-03-12 15:41:47
ubuntucve
ubuntucve
CVE-2023-45232
2024-01-16 00:00:00
CVE-2023-45233
2024-01-16 00:00:00
CVE-2023-45235
2024-01-16 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-45233 affecting package hvloader for versions less than 1.0.1-3
2024-06-06 19:53:22
CVE-2023-45235 affecting package edk2 for versions less than 20240223gitedc6681206c1-1
2024-05-31 18:55:08
CVE-2023-45235 affecting package hvloader for versions less than 1.0.1-3
2024-06-06 19:53:22
alpinelinux
alpinelinux
CVE-2023-45234
2024-01-16 16:15:12
CVE-2023-45229
2024-01-16 16:15:11
CVE-2023-45231
2024-01-16 16:15:11
prion
prion
Out-of-bounds
2024-01-16 16:15:00
Out-of-bounds
2024-01-16 16:15:00
Design/Logic Flaw
2024-01-16 16:15:00
cve
cve
CVE-2023-45229
2024-01-16 16:15:11
CVE-2023-45231
2024-01-16 16:15:11
CVE-2023-45233
2024-01-16 16:15:12
debiancve
debiancve
CVE-2023-45234
2024-01-16 16:15:12
CVE-2023-45231
2024-01-16 16:15:11
CVE-2023-45229
2024-01-16 16:15:11
nvd
nvd
CVE-2023-45229
2024-01-16 16:15:11
CVE-2023-45231
2024-01-16 16:15:11
CVE-2023-45233
2024-01-16 16:15:12
cvelist
cvelist
CVE-2023-45231 Out-of-Bounds Read in EDK II Network Package
2024-01-16 16:09:47
CVE-2023-45235 Buffer Overflow in EDK II Network Package
2024-01-16 16:11:41
CVE-2023-45229 Out-of-Bounds Read in EDK II Network Package
2024-01-16 16:07:31
redhatcve
redhatcve
CVE-2023-45231
2024-01-17 03:34:02
CVE-2023-45235
2024-01-17 03:56:05
CVE-2023-45232
2024-01-17 03:33:42
github
github
Null pointer dereference in PKCS12 parsing
2024-01-26 09:30:23
f5
f5
K000138695 : OpenSSL vulnerability CVE-2024-0727
2024-02-23 00:00:00
ibm
ibm
Security Bulletin: IBM DataPower Gateway vulnerable to DOS in OpenSSL (CVE-2024-0727)
2024-05-14 16:59:51
Security Bulletin: z/Transaction Processing Facility is affected by an OpenSSL vulnerability
2024-03-15 13:37:53
cgr
cgr
CVE-2024-0727 vulnerabilities
2024-05-19 03:07:16

8.8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.4%

JSON
Related for AL2_ALAS-2024-2483.NASL
amazon2osv18thn1oraclelinux9nessus48openvas19cert1debian1ubuntu1almalinux4redhat12redos1fedora1rocky2ubuntucve7cbl_mariner16alpinelinux7prion8cve7debiancve8nvd7cvelist7redhatcve7github1f51ibm2cgr1