Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20230302.103084)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(277140);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/27");

  script_cve_id(
    "CVE-2023-49083",
    "CVE-2025-5914",
    "CVE-2025-6020",
    "CVE-2025-8194",
    "CVE-2025-49133",
    "CVE-2025-54389"
  );

  script_name(english:"Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20230302.103084)");

  script_set_attribute(attribute:"synopsis", value:
"The Nutanix AHV host is affected by multiple vulnerabilities .");
  script_set_attribute(attribute:"description", value:
"The version of AHV installed on the remote host is prior to 20230302.103084. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AHV-20230302.103084 advisory.

  - A vulnerability has been identified in the libarchive library, specifically within the
    archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately
    lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption,
    enabling an attacker to execute arbitrary code or cause a denial-of-service condition. (CVE-2025-5914)

  - A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without
    proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks
    and race conditions. (CVE-2025-6020)

  - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
    Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer
    dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service
    (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to
    potential disruptions in system availability and stability. This vulnerability has been patched in version
    41.0.6. (CVE-2023-49083)

  - There is a defect in the CPython tarfile module affecting the TarFile extraction and entry enumeration
    APIs. The tar implementation would process tar archives with negative offsets without error, resulting in
    an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability
    can be mitigated by including the following patch after importing the tarfile module:
    https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 (CVE-2025-8194)

  - Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into
    Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted
    Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs
    in the CryptHmacSign' function with an inconsistent pairing of the signKey and signScheme parameters,
    where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is
    in the CryptHmacSign' function, which is defined in the Part 4: Supporting Routines  Code document,
    section 7.151 - /tpm/src/crypt/CryptUtil.c . This vulnerability can be triggered from user-mode
    applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an
    affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the
    detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This
    vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1. (CVE-2025-49133)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AHV-20230302.103084
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?511effce");
  script_set_attribute(attribute:"solution", value:
"Update the Nutanix AHV software to the recommended version. Before upgrading: if this cluster is registered with Prism
Central, ensure that Prism Central has been upgraded first to a compatible version. Refer to the Software Product
Interoperability page on the Nutanix portal.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-5914");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/11/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:ahv");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nutanix_collect.nasl");
  script_require_keys("Host/Nutanix/Data/Node/Version", "Host/Nutanix/Data/Node/Type");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var app_info = vcf::nutanix::get_app_info(node:TRUE);

var constraints = [
  { 'fixed_version' : '20230302.103084', 'product' : 'AHV', 'fixed_display' : 'Upgrade the AHV install to 20230302.103084 or higher.' }
];

vcf::nutanix::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);