Ubuntu 16.04 ESM / 18.04 ESM : Node.js vulnerabilities (USN-4796-1)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4796-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(183156);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/16");

  script_cve_id(
    "CVE-2016-7099",
    "CVE-2017-1000381",
    "CVE-2018-7160",
    "CVE-2018-7167",
    "CVE-2018-12115",
    "CVE-2018-12116",
    "CVE-2018-12122",
    "CVE-2018-12123",
    "CVE-2019-5737"
  );
  script_xref(name:"USN", value:"4796-1");

  script_name(english:"Ubuntu 16.04 ESM / 18.04 ESM : Node.js vulnerabilities (USN-4796-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as
referenced in the USN-4796-1 advisory.

  - The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before
    4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which
    allows man-in-the-middle attackers to spoof servers via a crafted certificate. (CVE-2016-7099)

  - The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be
    triggered to read memory outside of the given input buffer if the passed in DNS response packet was
    crafted in a particular way. (CVE-2017-1000381)

  - In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by
    Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused
    to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of
    a buffer cause a miscalculation of the maximum length of the input bytes to be written. (CVE-2018-12115)

  - Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be
    convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then
    data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the
    same server. (CVE-2018-12116)

  - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of
    Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or
    HTTPS connections and associated resources alive for a long period of time. (CVE-2018-12122)

  - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser
    for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that
    hostname can be spoofed by using a mixed case javascript: (e.g. javAscript:) protocol (other protocols
    are not affected). If security decisions are made about the URL based on the hostname, they may be
    incorrect. (CVE-2018-12123)

  - The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited
    to perform remote code execution. An attack is possible from malicious websites open in a web browser on
    the same computer, or another computer with network access to the computer running the Node.js process. A
    malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy
    checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process
    with the debug port active is running on localhost or on a host on the local network, the malicious
    website could connect to it as a debugger, and get full code execution access. (CVE-2018-7160)

  - Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a
    Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and
    Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of
    Node.js 6.x (LTS Boron), 8.x (LTS Carbon), and 9.x are vulnerable. All versions of Node.js 10.x
    (Current) are NOT vulnerable. (CVE-2018-7167)

  - In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1,
    an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive
    mode and by sending headers very slowly. This keeps the connection and associated resources alive for a
    long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer.
    This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js
    release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before
    11.10.1. (CVE-2019-5737)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4796-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected nodejs, nodejs-dev and / or nodejs-legacy packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7160");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/03/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-legacy");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '16.04', 'pkgname': 'nodejs', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm1'},
    {'osver': '16.04', 'pkgname': 'nodejs-dev', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm1'},
    {'osver': '16.04', 'pkgname': 'nodejs-legacy', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm1'},
    {'osver': '18.04', 'pkgname': 'nodejs', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm1'},
    {'osver': '18.04', 'pkgname': 'nodejs-dev', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-dev / nodejs-legacy');
}