Lucene search
K

EulerOS 2.0 SP11 : openssl (EulerOS-SA-2026-2258)

🗓️ 09 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 10 Views

EulerOS 2.0 SP11 OpenSSL NULL pointer dereference in delta CRL and CMS EnvelopedData, Denial of Service.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(319999);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/09");

  script_cve_id(
    "CVE-2026-28387",
    "CVE-2026-28388",
    "CVE-2026-28389",
    "CVE-2026-28390"
  );
  script_xref(name:"IAVA", value:"2026-A-0308");

  script_name(english:"EulerOS 2.0 SP11 : openssl (EulerOS-SA-2026-2258)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :

    Issue summary: When a delta CRL that contains a Delta CRL Indicator extension
    is processed a NULL pointer dereference might happen if the required CRL
    Number extension is missing.

    Impact summary: A NULL pointer dereference can trigger a crash which
    leads to a Denial of Service for an application.

    When CRL processing and delta CRL processing is enabled during X.509
    certificate verification, the delta CRL processing does not check
    whether the CRL Number extension is NULL before dereferencing it.
    When a malformed delta CRL file is being processed, this parameter
    can be NULL, causing a NULL pointer dereference.

    Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in
    the verification context, the certificate being verified to contain a
    freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and
    an attacker to provide a malformed CRL to an application that processes it.

    The vulnerability is limited to Denial of Service and cannot be escalated to
    achieve code execution or memory disclosure. For that reason the issue was
    assessed as Low severity according to our Security Policy.

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
    as the affected code is outside the OpenSSL FIPS module boundary.(CVE-2026-28388)

    Issue summary: During processing of a crafted CMS EnvelopedData message
    with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

    Impact summary: Applications that process attacker-controlled CMS data may
    crash before authentication or cryptographic operations occur resulting in
    Denial of Service.

    When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is
    processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier
    is examined without checking for its presence. This results in a NULL
    pointer dereference if the field is missing.

    Applications and services that call CMS_decrypt() on untrusted input
    (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
    issue, as the affected code is outside the OpenSSL FIPS module boundary.(CVE-2026-28389)

    Issue summary: During processing of a crafted CMS EnvelopedData message
    with KeyTransportRecipientInfo a NULL pointer dereference can happen.

    Impact summary: Applications that process attacker-controlled CMS data may
    crash before authentication or cryptographic operations occur resulting in
    Denial of Service.

    When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
    RSA-OAEP encryption is processed, the optional parameters field of
    RSA-OAEP SourceFunc algorithm identifier is examined without checking
    for its presence. This results in a NULL pointer dereference if the field
    is missing.

    Applications and services that call CMS_decrypt() on untrusted input
    (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
    issue, as the affected code is outside the OpenSSL FIPS module boundary.(CVE-2026-28390)

    Issue summary: An uncommon configuration of clients performing DANE TLSA-based
    server authentication, when paired with uncommon server DANE TLSA records, may
    result in a use-after-free and/or double-free on the client side.

    Impact summary: A use after free can have a range of potential consequences
    such as the corruption of valid data, crashes or execution of arbitrary code.

    However, the issue only affects clients that make use of TLSA records with both
    the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate
    usage.

    By far the most common deployment of DANE is in SMTP MTAs for which RFC7672
    recommends that clients treat as 'unusable' any TLSA records that have the PKIX
    certificate usages.  These SMTP (or other similar) clients are not vulnerable
    to this issue.  Conversely, any clients that support only the PKIX usages, and
    ignore the DANE-TA(2) usage are also not vulnerable.

    The client would also need to be communicating with a server that publishes a
    TLSA RRset with both types of TLSA records.

    No FIPS modules are affected by this issue, the problem code is outside the
    FIPS module boundary.(CVE-2026-28387)

Tenable has extracted the preceding description block directly from the EulerOS openssl security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-2258
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9bc958b9");
  script_set_attribute(attribute:"solution", value:
"Update the affected openssl packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-28387");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-help");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-perl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP11");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(11)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP11");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP11", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "openssl-1.1.1m-2.h61.eulerosv2r11",
  "openssl-devel-1.1.1m-2.h61.eulerosv2r11",
  "openssl-help-1.1.1m-2.h61.eulerosv2r11",
  "openssl-libs-1.1.1m-2.h61.eulerosv2r11",
  "openssl-perl-1.1.1m-2.h61.eulerosv2r11"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"11", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

09 Jun 2026 00:00Current
8.3High risk
Vulners AI Score8.3
CVSS 3.18.1
EPSS0.00885
SSVC
10