OpenSSL 1.0.2 < 1.0.2zn Multiple Vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(296767);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id("CVE-2025-68160", "CVE-2025-69421", "CVE-2026-22796");
  script_xref(name:"IAVA", value:"2026-A-0087-S");

  script_name(english:"OpenSSL 1.0.2 < 1.0.2zn Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of OpenSSL installed on the remote host is prior to 1.0.2zn. It is, therefore, affected by multiple
vulnerabilities as referenced in the 1.0.2zn advisory.

  - Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data
    where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL
    pointer dereference when processing malformed PKCS#7 data.  Impact summary: An application performing
    signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can
    be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.  The
    function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its
    type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the
    ASN1_TYPE union, causing a crash.  Exploiting this vulnerability requires an attacker to provide a
    malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of
    Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons
    the issue was assessed as Low severity.  The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by
    this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary.  OpenSSL
    3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 1.0.2zn (Affected
    since 1.0.2). (CVE-2026-22796)

  - Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the
    PKCS12_item_decrypt_d2i_ex() function.  Impact summary: A NULL pointer dereference can trigger a crash
    which leads to Denial of Service for an application processing PKCS#12 files.  The
    PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before
    dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter
    can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to
    achieve code execution or memory disclosure.  Exploiting this issue requires an attacker to provide a
    malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low
    severity according to our Security Policy.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not
    affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 1.0.2zn
    (Affected since 1.0.2). (CVE-2025-69421)

  - Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the
    next BIO performs short writes can trigger a heap-based out-of-bounds write.  Impact summary: This out-of-
    bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service
    for an application.  The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL
    data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS
    systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write
    and that write large, newline-free data influenced by an attacker would be affected. However, the
    circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is
    unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed
    as Low severity.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the
    BIO implementation is outside the OpenSSL FIPS module boundary.  OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1
    and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 1.0.2zn (Affected since 1.0.2). (CVE-2025-68160)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://openssl-library.org/news/secadv/20260127.txt");
  # https://openssl-library.org/policies/general/security-policy/index.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac4598c");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-68160");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69421");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-22796");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSL version 1.0.2zn or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-69421");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/27");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("openssl_version.nasl", "openssl_nix_installed.nbin", "openssl_win_installed.nbin");
  script_require_keys("installed_sw/OpenSSL");

  exit(0);
}

include('vcf.inc');
include('vcf_extras_openssl.inc');

var app_info = vcf::combined_get_app_info(app:'OpenSSL');

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  { 'min_version' : '1.0.2', 'fixed_version' : '1.0.2zn' }
];

vcf::openssl::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);