NewStart CGSL MAIN 7.02 : openssl Multiple Vulnerabilities (NS-SA-2025-0088)

🗓️ 09 Jun 2025 00:00:00Reported by TenableType

NewStart CGSL MAIN 7.02 has openssl vulnerabilities causing potential denial of service issues.

Reporter	Title	Published	Views	Family All 1137
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in Cloud Pak foundational services are addressed with IBM Cloud Pak for Business Automation 24.0.1-IF001	28 Feb 202509:11	–	ibm
IBM Security Bulletins	Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale System are now fixed in Storage Scale System 6.2.3.3 and 7.0.0.0 or higher	15 Dec 202520:22	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM API Connect	15 Mar 202500:18	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in OpenSSL affects IBM DevOps Code ClearCase	15 Jul 202413:22	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities affect multiple packages shipped with IBM CICS TX Advanced.	28 Apr 202510:33	–	ibm
IBM Security Bulletins	Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities	16 Apr 202514:34	–	ibm
IBM Security Bulletins	Security Bulletin: IBM DataPower Gateway vulnerable to DOS in OpenSSL (CVE-2024-0727)	14 May 202416:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates	4 Dec 202410:17	–	ibm
IBM Security Bulletins	Security Bulletin: Vulerability in IBM Spectrum Symphony with OpenSSL	13 Apr 202621:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Wincollect is using components with known vulnerabilities	9 Jul 202417:03	–	ibm

Source	Link
security	www.security.gd-linux.com/notice/NS-SA-2025-0088
security	www.security.gd-linux.com/info/CVE-2023-6237
security	www.security.gd-linux.com/info/CVE-2024-0727
security	www.security.gd-linux.com/info/CVE-2024-13176
security	www.security.gd-linux.com/info/CVE-2024-2511
security	www.security.gd-linux.com/info/CVE-2024-4603
security	www.security.gd-linux.com/info/CVE-2024-6119
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2025-0088. The text
# itself is copyright (C) ZTE, Inc.
##

include('compat.inc');

if (description)
{
  script_id(237993);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/18");

  script_cve_id(
    "CVE-2023-6237",
    "CVE-2024-0727",
    "CVE-2024-2511",
    "CVE-2024-4603",
    "CVE-2024-6119",
    "CVE-2024-13176"
  );
  script_xref(name:"IAVA", value:"2024-A-0121-S");
  script_xref(name:"IAVA", value:"2024-A-0208-S");
  script_xref(name:"IAVA", value:"2024-A-0541-S");
  script_xref(name:"IAVA", value:"2025-A-0127-S");

  script_name(english:"NewStart CGSL MAIN 7.02 : openssl Multiple Vulnerabilities (NS-SA-2025-0088)");

  script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 7.02, has openssl packages installed that are affected by multiple
vulnerabilities:

  - Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server
    certificates) may attempt to read an invalid memory address resulting in abnormal termination of the
    application process. Impact summary: Abnormal termination of an application can a cause a denial of
    service. Applications performing certificate name checks (e.g., TLS clients checking server certificates)
    may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject
    alternative name of an X.509 certificate. This may result in an exception that terminates the application
    program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial
    of service can occur only when the application also specifies an expected DNS name, Email address or IP
    address. TLS servers rarely solicit client certificates, and even when they do, they generally don't
    perform a name check against a reference identifier (expected identity), but rather extract the presented
    identity after checking the certificate chain. So TLS servers are generally not affected and the severity
    of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
    (CVE-2024-6119)

  - Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary:
    Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long
    delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a
    Denial of Service. When function EVP_PKEY_public_check() is called on RSA public keys, a computation is
    done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more
    large primes and this computation completes quickly. However, if n is an overly large prime, then this
    computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA
    key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function
    EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL
    pkey command line application. For that reason that application is also vulnerable if used with the
    '-pubin' and '-check' options on untrusted data. The OpenSSL SSL/TLS implementation is not affected by
    this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. (CVE-2023-6237)

  - Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a
    potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from
    untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and
    may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL
    does not correctly check for this case. This can lead to a NULL pointer dereference that results in
    OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs
    then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are:
    PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and
    PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function
    is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and
    3.0 are not affected by this issue. (CVE-2024-0727)

  - Issue summary: A timing side-channel which could potentially allow recovering the private key exists in
    the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations
    could allow recovering the private key by an attacker. However, measuring the timing would require either
    local access to the signing application or a very fast network connection with low latency. There is a
    timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This
    can happen with significant probability only for some of the supported elliptic curves. In particular the
    NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located
    in the same physical computer or must have a very fast network connection with low latency. For that
    reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are
    affected by this issue. (CVE-2024-13176)

  - Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when
    processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to
    trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3
    if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured
    and the default anti-replay protection is in use). In this case, under certain conditions, the session
    cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache
    will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario
    for this failure to force a Denial of Service. It may also happen by accident in normal operation. This
    issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in
    3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.
    (CVE-2024-2511)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/notice/NS-SA-2025-0088");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2023-6237");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2024-0727");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2024-13176");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2024-2511");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2024-4603");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2024-6119");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL openssl packages. Note that updated packages may not be available yet. Please contact ZTE
for more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-6119");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/11/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:openssl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:openssl-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:openssl-static");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var os_release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(os_release) || os_release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');

if (os_release !~ "CGSL\sMAIN\s7\.02")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 7.02');

if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);

var flag = 0;

var pkgs = {
  'CGSL MAIN 7.02': [
    'openssl-3.0.12-3.zncgsl7.17',
    'openssl-devel-3.0.12-3.zncgsl7.17',
    'openssl-libs-3.0.12-3.zncgsl7.17',
    'openssl-static-3.0.12-3.zncgsl7.17'
  ]
};
var pkg_list = pkgs[os_release];
var pkg;
foreach (pkg in pkg_list)
  if (rpm_check(reference:pkg, release:'ZTE ' + os_release, rpm_spec_vers_cmp:TRUE)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssl');
}

18 Jun 2025 00:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 3.17.5

EPSS0.14584

SSVC