TencentOS Server 4: suricata (TSSA-2025:0025)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2025:0025.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239434);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/04");

  script_cve_id(
    "CVE-2024-28870",
    "CVE-2024-32663",
    "CVE-2024-32867",
    "CVE-2024-55605",
    "CVE-2024-55626",
    "CVE-2024-55627",
    "CVE-2024-55628",
    "CVE-2024-55629"
  );

  script_name(english:"TencentOS Server 4: suricata (TSSA-2025:0025)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0025 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2024-55628:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages
    containing very large hostnames which can be costly to decode, and lead to very large DNS log records.
    While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8.

    CVE-2024-55605:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase,
    strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or
    xor transform can lead to a stack overflow causing Suricata to crash. The issue has been addressed in
    Suricata 7.0.8.

    CVE-2024-55629:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to
    Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible
    evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In
    IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the
    packets with urgent flag set.

    CVE-2024-55626:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a
    buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8.

    CVE-2024-55627:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow
    while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue
    has been addressed in Suricata 7.0.8.

    CVE-2024-32867:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can
    lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19.

    CVE-2024-32663:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using
    a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include
    disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is
    65536).

    CVE-2024-28870:
    Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security
    Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH
    banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert
    records. This issue has been patched in versions 6.0.17 and 7.0.4.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20250025.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-55629");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/02/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:suricata");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'suricata-7.0.8-1.oc9', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'suricata-7.0.8-1.oc9', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'suricata-debuginfo-7.0.8-1.oc9', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'suricata-debuginfo-7.0.8-1.oc9', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'suricata-debugsource-7.0.8-1.oc9', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'suricata-debugsource-7.0.8-1.oc9', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'suricata / suricata-debuginfo / suricata-debugsource');
}