nginx 1.1.x < 1.23.2 / 1.0.x < 1.22.1 Memory Disclosure

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(166545);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/02");

  script_cve_id("CVE-2022-41741", "CVE-2022-41742");
  script_xref(name:"IAVA", value:"2022-A-0440-S");

  script_name(english:"nginx 1.1.x < 1.23.2 / 1.0.x < 1.22.1 Memory Disclosure");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a memory disclosure avulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its Server response header, the installed version of nginx is 1.0.x prior to 1.22.1 or 1.1.x prior to
1.23.2. It is, therefore, affected by a memory disclosure in the ngx_http_mp4_module that allows an attacker to cause a
worker process crash or worker process memory disclosure. The issues only affect nginx if it is built with the
ngx_http_mp4_module (the module is not built by default) and the mp4 directive is used in the configuration file.
Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with
the ngx_http_mp4_module.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://mailman.nginx.org/archives/list/[email protected]/message/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fd7e4ded");
  script_set_attribute(attribute:"see_also", value:"http://nginx.org/download/patch.2022.mp4.txt");
  script_set_attribute(attribute:"solution", value:
"Upgrade to nginx 1.22.1 or 1.23.2 or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-41741");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/26");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nginx:nginx");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nginx_detect.nasl", "nginx_nix_installed.nbin");
  script_require_keys("installed_sw/nginx", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('http.inc');

var appname = 'nginx';
get_install_count(app_name:appname, exit_if_zero:TRUE);

var app_info = vcf::combined_get_app_info(app:appname);

vcf::check_all_backporting(app_info:app_info);

vcf::check_granularity(app_info:app_info, sig_segments:3);

if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2)
  audit(AUDIT_PARANOID);

var constraints = [
  { 'min_version' : '1.0.7', 'fixed_version' : '1.22.1' },
  { 'min_version' : '1.23.0', 'fixed_version' : '1.23.2' }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);