7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.0%
The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20220304.480 advisory.
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as not connected and won’t initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)
A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)
The code that processes control channel messages sent to named
calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named
to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
only network access to the control channel’s configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)
An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory. (CVE-2020-22218)
A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. (CVE-2023-20569)
An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. (CVE-2023-20593)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(190819);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/20");
script_cve_id(
"CVE-2020-22218",
"CVE-2022-43552",
"CVE-2023-3341",
"CVE-2023-20569",
"CVE-2023-20593",
"CVE-2023-40217"
);
script_name(english:"Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20220304.480)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AHV host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AHV-20220304.480 advisory.
- An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x
before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If
a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly,
there is a brief window where the SSLSocket instance will detect the socket as not connected and won't
initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not
be authenticated if the server-side TLS peer is expecting client certificate authentication, and is
indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the
buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path
requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)
- A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all
protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct
after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)
- The code that processes control channel messages sent to `named` calls certain functions recursively
during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on
the environment, this may cause the packet-parsing code to run out of available stack memory, causing
`named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its
contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9
versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through
9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)
- An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out
of bounds memory. (CVE-2020-22218)
- A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address
prediction. This may result in speculative execution at an attacker-controlled address, potentially
leading to information disclosure. (CVE-2023-20569)
- An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to
potentially access sensitive information. (CVE-2023-20593)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AHV-20220304.480
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9b428391");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AHV software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-40217");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-20593");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/21");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:ahv");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/Node/Version", "Host/Nutanix/Data/Node/Type");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info(node:TRUE);
var constraints = [
{ 'fixed_version' : '20220304.480', 'product' : 'AHV', 'fixed_display' : 'Upgrade the AHV install to 20220304.480 or higher.' }
];
vcf::nutanix::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43552
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3341
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40217
www.nessus.org/u?9b428391
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.0%