The version of AHV installed on the remote host is prior to 20201105.2286. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20201105.2286 advisory.
A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability. (CVE-2020-25709)
A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability. (CVE-2020-25710)
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
(CVE-2021-45960)
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. (CVE-2021-46143)
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self- signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22824)
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22826)
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. (CVE-2022-24407)
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. (CVE-2022-25236)
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(164565);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/13");
script_cve_id(
"CVE-2020-25709",
"CVE-2020-25710",
"CVE-2021-21996",
"CVE-2021-45960",
"CVE-2021-46143",
"CVE-2022-0778",
"CVE-2022-22822",
"CVE-2022-22823",
"CVE-2022-22824",
"CVE-2022-22825",
"CVE-2022-22826",
"CVE-2022-22827",
"CVE-2022-23852",
"CVE-2022-24407",
"CVE-2022-25235",
"CVE-2022-25236",
"CVE-2022-25315"
);
script_name(english:"Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20201105.2286)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AHV host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AHV installed on the remote host is prior to 20201105.2286. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AHV-20201105.2286 advisory.
- A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed
by OpenLDAP's slapd server, to trigger an assertion failure. The highest threat from this vulnerability is
to system availability. (CVE-2020-25709)
- A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious
packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this
vulnerability is to system availability. (CVE-2020-25710)
- An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and
source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)
- In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in
xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
(CVE-2021-45960)
- In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for
m_groupSize. (CVE-2021-46143)
- The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop
forever for non-prime moduli. Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point
encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has
invalid explicit curve parameters. Since certificate parsing happens prior to verification of the
certificate signature, any process that parses an externally supplied certificate may thus be subject to a
denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they
can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients
consuming server certificates - TLS servers consuming client certificates - Hosting providers taking
certificates or private keys from customers - Certificate authorities parsing certification requests from
subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that
use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS
issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate
which makes it slightly harder to trigger the infinite loop. However any operation which requires the
public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-
signed certificate to trigger the loop during verification of the certificate signature. This issue
affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the
15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected
1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)
- addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)
- build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)
- defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22824)
- lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)
- nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22826)
- storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)
- Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with
a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)
- In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL
INSERT or UPDATE statement. (CVE-2022-24407)
- xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks
for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)
- xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters
into namespace URIs. (CVE-2022-25236)
- In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AHV-20201105.2286
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f6d2bd63");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AHV software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-45960");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-25315");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/01/22");
script_set_attribute(attribute:"patch_publication_date", value:"2022/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:ahv");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/Node/Version", "Host/Nutanix/Data/Node/Type");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info(node:TRUE);
var constraints = [
{ 'fixed_version' : '20201105.2286', 'product' : 'AHV', 'fixed_display' : 'Upgrade the AHV install to 20201105.2286 or higher.' }
];
vcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25709
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25710
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21996
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25315
www.nessus.org/u?f6d2bd63