The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the nodejs-16.20.1-1.el9 build changelog.
The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js (CVE-2023-30581)
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 (CVE-2023-30589)
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: Generates private and public Diffie-Hellman key values. The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application- level security, implications are consequently broad. (CVE-2023-30590)
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124)
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. (CVE-2023-31147)
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. (CVE-2023-32067)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# the CentOS Stream Build Service.
##
include('compat.inc');
if (description)
{
script_id(191426);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/26");
script_cve_id(
"CVE-2023-30581",
"CVE-2023-30588",
"CVE-2023-30589",
"CVE-2023-30590",
"CVE-2023-31124",
"CVE-2023-31130",
"CVE-2023-31147",
"CVE-2023-32067"
);
script_name(english:"CentOS 9 : nodejs-16.20.1-1.el9");
script_set_attribute(attribute:"synopsis", value:
"The remote CentOS host is missing one or more security updates for nodejs.");
script_set_attribute(attribute:"description", value:
"The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the
nodejs-16.20.1-1.el9 build changelog.
- The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require
modules outside of the policy.json definition. This vulnerability affects all users using the experimental
policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was
issued, the policy is an experimental feature of Node.js (CVE-2023-30581)
- When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a
non-expect termination occurs making it susceptible to DoS attacks when the attacker could force
interruptions of application processing, as the process terminates when accessing public key info of
provided certificates from user code. The current context of the users will be gone, and that will cause a
DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)
- The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit
HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient
to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence
should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
(CVE-2023-30589)
- The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or
outdated) keys, that is, it only generates a private key if none has been set yet, but the function is
also needed to compute the corresponding public key after calling setPrivateKey(). However, the
documentation says this API call: Generates private and public Diffie-Hellman key values. The documented
behavior is very different from the actual behavior, and this difference could easily lead to security
issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-
level security, implications are consequently broad. (CVE-2023-30590)
- c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build
system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will
downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of
entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124)
- c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for
certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this
function internally for configuration purposes which would require an administrator to configure such an
address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes
and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)
- c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares
uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not
seeded by srand() so will generate predictable output. Input from the random number generator is fed into
a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt
is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has
been fixed in version 1.19.1. (CVE-2023-31147)
- c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target
resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to
the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the
connection. This issue has been patched in version 1.19.1. (CVE-2023-32067)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://kojihub.stream.centos.org/koji/buildinfo?buildID=34768");
script_set_attribute(attribute:"solution", value:
"Update the CentOS 9 Stream nodejs package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-30590");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/24");
script_set_attribute(attribute:"patch_publication_date", value:"2023/07/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/29");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:centos:centos:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nodejs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nodejs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nodejs-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nodejs-full-i18n");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nodejs-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:npm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:v8-devel");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CentOS Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/CentOS/release');
if (isnull(os_release) || 'CentOS' >!< os_release) audit(AUDIT_OS_NOT, 'CentOS');
var os_ver = pregmatch(pattern: "CentOS(?: Stream)?(?: Linux)? release ([0-9]+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '9')) audit(AUDIT_OS_NOT, 'CentOS 9.x', 'CentOS ' + os_ver);
if (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);
var pkgs = [
{'reference':'nodejs-16.20.1-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'nodejs-devel-16.20.1-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'nodejs-docs-16.20.1-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'nodejs-full-i18n-16.20.1-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'nodejs-libs-16.20.1-1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'npm-8.19.4-1.16.20.1.1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'v8-devel-9.4.146.26-1.16.20.1.1.el9', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'CentOS-' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (reference && _release) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-devel / nodejs-docs / nodejs-full-i18n / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
centos | centos | 9 | cpe:/a:centos:centos:9 |
centos | centos | nodejs | p-cpe:/a:centos:centos:nodejs |
centos | centos | nodejs-devel | p-cpe:/a:centos:centos:nodejs-devel |
centos | centos | nodejs-docs | p-cpe:/a:centos:centos:nodejs-docs |
centos | centos | nodejs-full-i18n | p-cpe:/a:centos:centos:nodejs-full-i18n |
centos | centos | nodejs-libs | p-cpe:/a:centos:centos:nodejs-libs |
centos | centos | npm | p-cpe:/a:centos:centos:npm |
centos | centos | v8-devel | p-cpe:/a:centos:centos:v8-devel |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31124
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31147
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32067
kojihub.stream.centos.org/koji/buildinfo?buildID=34768