The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 22df5074-71cd-11ee-85eb-84a93843eb75 advisory.
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
(CVE-2022-42898)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.42 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22015, CVE-2023-22026)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.43 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22028)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22032, CVE-2023-22070, CVE-2023-22078, CVE-2023-22103)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22059)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22064, CVE-2023-22092, CVE-2023-22112)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22065, CVE-2023-22110)
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22066, CVE-2023-22068, CVE-2023-22097, CVE-2023-22114)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22079)
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22084)
Vulnerability in the MySQL Installer product of Oracle MySQL (component: Installer: General). Supported versions that are affected are Prior to 1.6.8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Installer executes to compromise MySQL Installer.
Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Installer, attacks may significantly impact additional products (scope change).
Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Installer accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Installer. Note: This patch is used in MySQL Server bundled version 8.0.35 and 5.7.44. (CVE-2023-22094)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). The supported version that is affected is 8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22095)
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. (CVE-2023-22102)
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22104)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22111)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).
Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. (CVE-2023-22113)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22115)
Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit.
OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with ‘n’ being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer’s certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. (CVE-2023-2650)
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary:
Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the -check option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. (CVE-2023-3817)
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means let the host resolve the name could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. (CVE-2023-38545)
CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl. When curl is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in length, it will switch to local name resolution in order to resolve the address before passing it on to the SOCKS5 proxy. However, due to a bug introduced in 2020, this local name resolution could fail due to a slow SOCKS5 handshake, causing curl to pass on the hostname greater than 255 bytes in length into the target buffer, leading to a heap overflow. The advisory for CVE-2023-38545 gives an example exploitation scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an attacker would need to influence the slowness of the SOCKS5 handshake, the advisory states that server latency is likely slow enough to trigger this bug. (CVE-2023-38545)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# @NOAGENT@
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2021 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include('compat.inc');
if (description)
{
script_id(183755);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/26");
script_cve_id(
"CVE-2022-42898",
"CVE-2023-2650",
"CVE-2023-3817",
"CVE-2023-22015",
"CVE-2023-22026",
"CVE-2023-22028",
"CVE-2023-22032",
"CVE-2023-22059",
"CVE-2023-22064",
"CVE-2023-22065",
"CVE-2023-22066",
"CVE-2023-22068",
"CVE-2023-22070",
"CVE-2023-22078",
"CVE-2023-22079",
"CVE-2023-22084",
"CVE-2023-22092",
"CVE-2023-22094",
"CVE-2023-22095",
"CVE-2023-22097",
"CVE-2023-22102",
"CVE-2023-22103",
"CVE-2023-22104",
"CVE-2023-22110",
"CVE-2023-22111",
"CVE-2023-22112",
"CVE-2023-22113",
"CVE-2023-22114",
"CVE-2023-22115",
"CVE-2023-38545"
);
script_xref(name:"CEA-ID", value:"CEA-2023-0052");
script_name(english:"FreeBSD : MySQL -- Multiple vulnerabilities (22df5074-71cd-11ee-85eb-84a93843eb75)");
script_set_attribute(attribute:"synopsis", value:
"The remote FreeBSD host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple
vulnerabilities as referenced in the 22df5074-71cd-11ee-85eb-84a93843eb75 advisory.
- PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that
may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit
platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other
platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
(CVE-2022-42898)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported
versions that are affected are 5.7.42 and prior and 8.0.31 and prior. Easily exploitable vulnerability
allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22015, CVE-2023-22026)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported
versions that are affected are 5.7.43 and prior and 8.0.31 and prior. Easily exploitable vulnerability
allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22028)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported
versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. (CVE-2023-22032, CVE-2023-22070, CVE-2023-22078, CVE-2023-22103)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported
versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. (CVE-2023-22059)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported
versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. (CVE-2023-22064, CVE-2023-22092, CVE-2023-22112)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported
versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. (CVE-2023-22065, CVE-2023-22110)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are
affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. (CVE-2023-22066, CVE-2023-22068, CVE-2023-22097, CVE-2023-22114)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported
versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. (CVE-2023-22079)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are
affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. (CVE-2023-22084)
- Vulnerability in the MySQL Installer product of Oracle MySQL (component: Installer: General). Supported
versions that are affected are Prior to 1.6.8. Easily exploitable vulnerability allows low privileged
attacker with logon to the infrastructure where MySQL Installer executes to compromise MySQL Installer.
Successful attacks require human interaction from a person other than the attacker and while the
vulnerability is in MySQL Installer, attacks may significantly impact additional products (scope change).
Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification
access to critical data or all MySQL Installer accessible data and unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Installer. Note: This patch is used in MySQL Server
bundled version 8.0.35 and 5.7.44. (CVE-2023-22094)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). The supported
version that is affected is 8.1.0. Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL
Server. (CVE-2023-22095)
- Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions
that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require
human interaction from a person other than the attacker and while the vulnerability is in MySQL
Connectors, attacks may significantly impact additional products (scope change). Successful attacks of
this vulnerability can result in takeover of MySQL Connectors. (CVE-2023-22102)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are
affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL
Server. (CVE-2023-22104)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions
that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. (CVE-2023-22111)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).
Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server
accessible data. (CVE-2023-22113)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions
that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. (CVE-2023-22115)
- Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be
very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL
subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to
very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT
IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit.
OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the
OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT
IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER
is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the
translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n'
being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic
algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs
in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be
received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to
specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest
passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any
version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In
OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts
anything that processes X.509 certificates, including simple things like verifying its signature. The
impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's
certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client
authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509
certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so
these versions are considered not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low. (CVE-2023-2650)
- Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary:
Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key
or DH parameters may experience long delays. Where the key or parameters that are being checked have been
obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter
value can also trigger an overly long computation during some of these checks. A correct q value, if
present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if
q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an
untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself
called by a number of other OpenSSL functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the -check
option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS
providers are not affected by this issue. (CVE-2023-3817)
- This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to
pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting
done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected
to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due
to this bug, the local variable that means let the host resolve the name could get the wrong value
during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target
buffer instead of copying just the resolved address there. The target buffer being a heap based buffer,
and the host name coming from the URL that curl has been told to operate with. (CVE-2023-38545)
- CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and
curl. When curl is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in
length, it will switch to local name resolution in order to resolve the address before passing it on to
the SOCKS5 proxy. However, due to a bug introduced in 2020, this local name resolution could fail due to a
slow SOCKS5 handshake, causing curl to pass on the hostname greater than 255 bytes in length into the
target buffer, leading to a heap overflow. The advisory for CVE-2023-38545 gives an example exploitation
scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an
attacker would need to influence the slowness of the SOCKS5 handshake, the advisory states that server
latency is likely slow enough to trigger this bug. (CVE-2023-38545)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixMSQL");
# https://vuxml.freebsd.org/freebsd/22df5074-71cd-11ee-85eb-84a93843eb75.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?db57654e");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-38545");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/15");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql-connector-c++");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql-connector-j");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql-connector-odbc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql57-server");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql80-server");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"FreeBSD Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
var flag = 0;
var packages = [
'mysql-connector-c++<8.0.35',
'mysql-connector-j<8.1.1',
'mysql-connector-odbc<8.1.1',
'mysql57-server<5.7.44',
'mysql80-server<8.0.35'
];
foreach var package( packages ) {
if (pkg_test(save_report:TRUE, pkg: package)) flag++;
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : pkg_report_get()
);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
freebsd | freebsd | mysql-connector-c%2b%2b | p-cpe:/a:freebsd:freebsd:mysql-connector-c%2b%2b |
freebsd | freebsd | mysql-connector-j | p-cpe:/a:freebsd:freebsd:mysql-connector-j |
freebsd | freebsd | mysql-connector-odbc | p-cpe:/a:freebsd:freebsd:mysql-connector-odbc |
freebsd | freebsd | mysql57-server | p-cpe:/a:freebsd:freebsd:mysql57-server |
freebsd | freebsd | mysql80-server | p-cpe:/a:freebsd:freebsd:mysql80-server |
freebsd | freebsd | cpe:/o:freebsd:freebsd |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22015
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22026
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22028
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22032
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22059
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22064
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22065
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22066
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22068
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22070
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22078
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22079
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22084
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22092
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22094
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22095
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22097
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22102
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22103
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22104
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22110
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22111
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22112
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22113
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22114
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22115
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
www.nessus.org/u?db57654e
www.oracle.com/security-alerts/cpuoct2023.html#AppendixMSQL