According to the versions of the openssl098e package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.(CVE-2016-2179)
OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.(CVE-2011-4577)
Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.(CVE-2015-0206)
The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.(CVE-2011-3210)
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.(CVE-2016-2176)
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.(CVE-2015-0205)
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.(CVE-2014-3572)
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.(CVE-2014-3507)
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a ‘protocol downgrade’ issue.(CVE-2014-3511)
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.(CVE-2014-3470)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(137479);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/06");
script_cve_id(
"CVE-2011-3210",
"CVE-2011-4577",
"CVE-2014-3470",
"CVE-2014-3507",
"CVE-2014-3511",
"CVE-2014-3572",
"CVE-2015-0205",
"CVE-2015-0206",
"CVE-2016-2176",
"CVE-2016-2179"
);
script_bugtraq_id(
49471,
51281,
67898,
69078,
69079,
71940,
71941,
71942
);
script_name(english:"EulerOS 2.0 SP2 : openssl098e (EulerOS-SA-2020-1637)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the openssl098e package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- The DTLS implementation in OpenSSL before 1.1.0 does
not properly restrict the lifetime of queue entries
associated with unused out-of-order messages, which
allows remote attackers to cause a denial of service
(memory consumption) by maintaining many crafted DTLS
sessions simultaneously, related to d1_lib.c,
statem_dtls.c, statem_lib.c, and
statem_srvr.c.(CVE-2016-2179)
- OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC
3779 support is enabled, allows remote attackers to
cause a denial of service (assertion failure) via an
X.509 certificate containing certificate-extension data
associated with (1) IP address blocks or (2) Autonomous
System (AS) identifiers.(CVE-2011-4577)
- Memory leak in the dtls1_buffer_record function in
d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1
before 1.0.1k allows remote attackers to cause a denial
of service (memory consumption) by sending many
duplicate records for the next epoch, leading to
failure of replay detection.(CVE-2015-0206)
- The ephemeral ECDH ciphersuite functionality in OpenSSL
0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not
ensure thread safety during processing of handshake
messages from clients, which allows remote attackers to
cause a denial of service (daemon crash) via
out-of-order messages that violate the TLS
protocol.(CVE-2011-3210)
- The X509_NAME_oneline function in
crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and
1.0.2 before 1.0.2h allows remote attackers to obtain
sensitive information from process stack memory or
cause a denial of service (buffer over-read) via
crafted EBCDIC ASN.1 data.(CVE-2016-2176)
- The ssl3_get_cert_verify function in s3_srvr.c in
OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k
accepts client authentication with a Diffie-Hellman
(DH) certificate without requiring a CertificateVerify
message, which allows remote attackers to obtain access
without knowledge of a private key via crafted TLS
Handshake Protocol traffic to a server that recognizes
a Certification Authority with DH
support.(CVE-2015-0205)
- The ssl3_get_key_exchange function in s3_clnt.c in
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1
before 1.0.1k allows remote SSL servers to conduct
ECDHE-to-ECDH downgrade attacks and trigger a loss of
forward secrecy by omitting the ServerKeyExchange
message.(CVE-2014-3572)
- Memory leak in d1_both.c in the DTLS implementation in
OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and
1.0.1 before 1.0.1i allows remote attackers to cause a
denial of service (memory consumption) via zero-length
DTLS fragments that trigger improper handling of the
return value of a certain insert
function.(CVE-2014-3507)
- The ssl23_get_client_hello function in s23_srvr.c in
OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle
attackers to force the use of TLS 1.0 by triggering
ClientHello message fragmentation in communication
between a client and server that both support later TLS
versions, related to a 'protocol downgrade'
issue.(CVE-2014-3511)
- The ssl3_send_client_key_exchange function in s3_clnt.c
in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and
1.0.1 before 1.0.1h, when an anonymous ECDH cipher
suite is used, allows remote attackers to cause a
denial of service (NULL pointer dereference and client
crash) by triggering a NULL certificate
value.(CVE-2014-3470)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1637
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?27f046c9");
script_set_attribute(attribute:"solution", value:
"Update the affected openssl098e packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2176");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2020/06/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl098e");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["openssl098e-0.9.8e-29.3.h21"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl098e");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179
www.nessus.org/u?27f046c9