Openfire < 5.0.2 / 5.1.0 Identity Spoofing

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(265328);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/19");

  script_cve_id("CVE-2025-59154");
  script_xref(name:"IAVB", value:"2025-B-0153");

  script_name(english:"Openfire < 5.0.2 / 5.1.0 Identity Spoofing");

  script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by an identity spoofing vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of Openfire that is affected by an identity spoofing vulnerability. Openfire’s 
SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities 
from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls 
X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a 
provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), 
for example, commas and equals signs inside attribute values are not escaped.

As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU='CN=admin,'). The regex 
will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and 
configured to map CNs to user accounts, this allows the attacker to impersonate another user.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?90b5f08e");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 5.0.2, 5.1.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:M/C:C/I:C/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-59154");
  script_cwe_id(290);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/09/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/17");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:igniterealtime:openfire");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2025 Tenable Network Security, Inc.");

  script_dependencies("openfire_console_detect.nasl");
  script_require_keys("installed_sw/Openfire Console");
  script_require_ports("Services/www", 9090);

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'Openfire Console');

var constraints = [
  {'fixed_version' : '5.0.2', 'fixed_display' : '5.0.2 / 5.1.0'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);