TencentOS Server 3: gssntlmssp (TSSA-2023:0084)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2023:0084.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(238862);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2023-25563",
    "CVE-2023-25564",
    "CVE-2023-25565",
    "CVE-2023-25566",
    "CVE-2023-25567"
  );

  script_name(english:"TencentOS Server 3: gssntlmssp (TSSA-2023:0084)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0084 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

      CVE-2023-25563:
      A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM
    authentication. Multiple out-of-bounds reads occur when decoding NTLM fields and can trigger a denial of
    service. A 32-bit integer overflow condition can lead to incorrect checks of the consistency of the length
    of internal buffers. Although most applications will error out before accepting a single input buffer of
    4GB in length, this issue can happen. This vulnerability can be triggered via the main
    gss_accept_sec_context entry point if the application allows tokens greater than 4GB in length, leading to
    a large, up to 65KB, out-of-bounds read, which could cause a denial of service if it reads from unmapped
    memory.
      CVE-2023-25564:
      A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM
    authentication. Memory corruption can be triggered when decoding UTF16 strings. The variable outlen was
    not initialized and could cause writing a zero to an arbitrary place in memory if the ntlm_str_convert()
    fails, which would leave outlen uninitialized. This issue can lead to a denial of service if the write
    hits unmapped memory or randomly corrupts a byte in the application memory space. This vulnerability can
    trigger an out-of-bounds write, leading to memory corruption, and can be triggered via the main
    gss_accept_sec_context entry point.
      CVE-2023-25565:
      A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM
    authentication. An incorrect free when decoding target information can trigger a denial of service. The
    error condition incorrectly assumes the cb and sh buffers contain a copy of the data that needs to be
    freed. However, that is not the case. This vulnerability can be triggered via the main
    gss_accept_sec_context entry point. This issue will likely trigger an assertion failure in free, causing a
    denial of service.
      CVE-2023-25566:
      A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM
    authentication. A memory leak can be triggered when parsing usernames, triggering a denial of service. The
    domain portion of a username may be overridden, causing an allocated memory area the size of the domain
    name to be leaked. This flaw allows an attacker to leak memory via the main gss_accept_sec_context entry
    point, potentially causing a denial of service.
      CVE-2023-25567:
      A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM
    authentication. It has an out-of-bounds read when decoding target information. The length of the av_pair
    is not checked properly for two of the elements, which can trigger an out-of-bounds read via the main
    gss_accept_sec_context entry point and could cause a denial of service if the memory is unmapped.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20230084.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-25564");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/06/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:gssntlmssp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'gssntlmssp-1.2.0-1.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gssntlmssp-1.2.0-1.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gssntlmssp-debuginfo-1.2.0-1.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gssntlmssp-debuginfo-1.2.0-1.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gssntlmssp-debugsource-1.2.0-1.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gssntlmssp-debugsource-1.2.0-1.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gssntlmssp-devel-1.2.0-1.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'gssntlmssp-devel-1.2.0-1.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gssntlmssp / gssntlmssp-debuginfo / gssntlmssp-debugsource / etc');
}