Lucene search
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.GENTOO_GLSA-202401-24.NASLHistoryJan 16, 2024 - 12:00 a.m.
GLSA-202401-24 : Nettle: Denial of Service
2024-01-1600:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
6
nettle software
denial of service
vulnerability
rsa decryption
ocb feature
application crashes
memory corruption
6.8 Medium
AI Score
Confidence
Low
The remote host is affected by the vulnerability described in GLSA-202401-24 (Nettle: Denial of Service)
-
A flaw was found in the way nettle’s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service. (CVE-2021-3580)
-
The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption. (CVE-2023-36660)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# @NOAGENT@
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 202401-24.
#
# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#
include('compat.inc');
if (description)
{
script_id(188077);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
script_cve_id("CVE-2021-3580", "CVE-2023-36660");
script_name(english:"GLSA-202401-24 : Nettle: Denial of Service");
script_set_attribute(attribute:"synopsis", value:
"");
script_set_attribute(attribute:"description", value:
"The remote host is affected by the vulnerability described in GLSA-202401-24 (Nettle: Denial of Service)
- A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An
attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial
of service. (CVE-2021-3580)
- The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption. (CVE-2023-36660)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/202401-24");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=806839");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=907673");
script_set_attribute(attribute:"solution", value:
"All Nettle users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose >=dev-libs/nettle-3.9.1");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3580");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-36660");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/08/05");
script_set_attribute(attribute:"patch_publication_date", value:"2024/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nettle");
script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Gentoo Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
exit(0);
}
include('qpkg.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/Gentoo/release')) audit(AUDIT_OS_NOT, 'Gentoo');
if (!get_kb_item('Host/Gentoo/qpkg-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var flag = 0;
var packages = [
{
'name' : 'dev-libs/nettle',
'unaffected' : make_list("ge 3.9.1"),
'vulnerable' : make_list("lt 3.9.1")
}
];
foreach var package( packages ) {
if (isnull(package['unaffected'])) package['unaffected'] = make_list();
if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();
if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : qpkg_report_get()
);
exit(0);
}
else
{
qpkg_tests = list_uniq(qpkg_tests);
var tested = qpkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Nettle');
}
Related
gentoo
gentoo
Nettle: Denial of Service
2024-01-16 00:00:00
cve
cve
CVE-2023-36660
2023-06-25 22:15:21
CVE-2021-3580
2021-08-05 21:15:00
redhatcve
redhatcve
CVE-2023-36660
2023-06-26 09:17:03
CVE-2021-3580
2021-06-08 11:48:53
ubuntucve
ubuntucve
CVE-2023-36660
2023-06-25 00:00:00
CVE-2021-3580
2021-06-10 00:00:00
debiancve
debiancve
CVE-2023-36660
2023-06-25 22:15:21
CVE-2021-3580
2021-08-05 21:15:00
prion
prion
Memory corruption
2023-06-25 22:15:00
Denial of service
2021-08-05 21:15:00
nessus
nessus
SUSE SLED12 / SLES12 Security Update : libnettle (SUSE-SU-2021:2135-1)
2021-06-28 00:00:00
EulerOS 2.0 SP2 : nettle (EulerOS-SA-2021-2411)
2021-09-14 00:00:00
Photon OS 2.0: Nettle PHSA-2021-2.0-0380
2021-08-24 00:00:00
suse
suse
Security update for libnettle (important)
2021-07-11 00:00:00
Security update for libnettle (important)
2021-06-24 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for nettle (EulerOS-SA-2023-1277)
2023-01-31 00:00:00
Huawei EulerOS: Security Advisory for nettle (EulerOS-SA-2021-2886)
2021-12-31 00:00:00
Huawei EulerOS: Security Advisory for nettle (EulerOS-SA-2021-2475)
2021-09-24 00:00:00
alpinelinux
alpinelinux
CVE-2021-3580
2021-08-05 21:15:00
photon
photon
archlinux
archlinux
[ASA-202106-28] nettle: denial of service
2021-06-09 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-3580 affecting package nettle for versions less than 3.7.3-1
2022-04-09 06:51:55
CVE-2021-3580 affecting package nettle 3.7.2-1
2021-09-09 15:02:55
veracode
veracode
Denial Of Service (DoS)
2021-09-18 03:57:04
osv
osv
CVE-2021-3580
2021-08-05 21:15:12
nettle - security update
2021-06-18 00:00:00
nettle - security update
2021-09-18 00:00:00
debian
debian
[SECURITY] [DSA 4933-1] nettle security update
2021-06-18 18:58:09
[SECURITY] [DSA 4933-1] nettle security update
2021-06-18 18:58:09
[SECURITY] [DLA 2760-1] nettle security update
2021-09-18 14:46:40
mageia
mageia
Updated nettle packages fix security vulnerabilities
2021-06-29 20:31:40
ubuntu
ubuntu
Nettle vulnerabilities
2021-06-17 00:00:00
cloudfoundry
cloudfoundry
USN-4990-1: Nettle vulnerabilities | Cloud Foundry
2021-07-08 00:00:00
oraclelinux
oraclelinux
gnutls security update
2022-03-17 00:00:00
gnutls and nettle security, bug fix, and enhancement update
2021-11-16 00:00:00
rocky
rocky
gnutls and nettle security, bug fix, and enhancement update
2021-11-09 09:23:20
almalinux
almalinux
Moderate: gnutls and nettle security, bug fix, and enhancement update
2021-11-09 09:23:20
redhat
redhat
oracle
oracle
Oracle Critical Patch Update Advisory - April 2022
2022-04-19 00:00:00
ics
ics
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
2023-12-14 12:00:00