#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(319488);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/06");
script_cve_id(
"CVE-2025-68160",
"CVE-2025-69418",
"CVE-2025-69419",
"CVE-2025-69420",
"CVE-2025-69421",
"CVE-2026-22795",
"CVE-2026-22796"
);
script_xref(name:"IAVA", value:"2026-A-0087-S");
script_name(english:"EulerOS Virtualization 2.13.0 : openssl (EulerOS-SA-2026-2181)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :
Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the
next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-
bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service
for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL
data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS
systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write
and that write large, newline-free data influenced by an attacker would be affected. However, the
circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is
unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed
as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO
implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and
1.0.2 are vulnerable to this issue.(CVE-2025-68160)
Issue summary: When using the low-level OCB API directly with AES-NI orbrother hardware-accelerated
code paths, inputs whose length is not a multiplebrof 16 bytes can leave the final partial block
unencrypted and unauthenticated.brbrImpact summary: The trailing 1-15 bytes of a message may
be exposed inbrcleartext on encryption and are not covered by the authentication
tag,brallowing an attacker to read or tamper with those bytes without detection.brbrThe
low-level OCB encrypt and decrypt routines in the hardware-acceleratedbrstream path process full
16-byte blocks but do not advance the input/outputbrpointers. The subsequent tail-handling code then
operates on the originalbrbase pointers, effectively reprocessing the beginning of the buffer
whilebrleaving the actual trailing bytes unprocessed. The authentication checksumbralso
excludes the true tail bytes.brbrHowever, typical OpenSSL consumers using EVP are not affected
because thebrhigher-level EVP and provider OCB implementations split inputs so that
fullbrblocks and trailing partial blocks are processed in separate calls, avoidingbrthe
problematic code path. Additionally, TLS does not use OCB ciphersuites.brThe vulnerability only
affects applications that call the low-levelbrCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt()
functions directly withbrnon-block-aligned lengths in a single call on hardware-accelerated
builds.brFor these reasons the issue was assessed as Low severity.brbrThe FIPS modules
in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affectedbrby this issue, as OCB mode is not a FIPS-
approved algorithm.brbrOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this
issue.brbrOpenSSL 1.0.2 is not affected by this issue.(CVE-2025-69418)
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a
BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before
the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have
various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass
conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the
helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the
destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes,
but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is
added to the output length without validation, causing the length to become negative. The subsequent
trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer.
The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-
controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue,
PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to
provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one
zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity
according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4,
3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this
issue.(CVE-2025-69419)
Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an
ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer
dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling
TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and
ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When
the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union,
causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp
Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not
widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was
assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the
TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3,
3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.(CVE-2025-69420)
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the
PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash
which leads to Denial of Service for an application processing PKCS#12 files. The
PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before
dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter
can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to
achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a
malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low
severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected
by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6,
3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.(CVE-2025-69421)
Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed
PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to
dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion
vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address
space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This
range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably
result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or
application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12
files in applications as they are usually used to store private keys which are trusted by definition. For
these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not
affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL
3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this
issue.(CVE-2026-22795)
Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data
where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing
signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can
be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The
function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its
type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the
ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a
malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of
Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons
the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5,
3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
(CVE-2026-22796)
Tenable has extracted the preceding description block directly from the EulerOS Virtualization openssl security
advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-2181
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ad634ff2");
script_set_attribute(attribute:"solution", value:
"Update the affected openssl packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-69421");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
script_set_attribute(attribute:"patch_publication_date", value:"2026/06/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-perl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.13.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.13.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.13.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"openssl-1.1.1wa-2.h38.eulerosv2r13",
"openssl-libs-1.1.1wa-2.h38.eulerosv2r13",
"openssl-perl-1.1.1wa-2.h38.eulerosv2r13"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation