The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4796-1 advisory.
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. (CVE-2016-7099)
The c-ares function ares_parse_naptr_reply()
, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. (CVE-2017-1000381)
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names 'ucs2'
, 'ucs-2'
, 'utf16le'
and 'utf-16le'
), Buffer#write()
can be abused to write outside of the bounds of a single Buffer
. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written. (CVE-2018-12115)
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path
option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. (CVE-2018-12116)
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. (CVE-2018-12122)
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case javascript: (e.g. javAscript:) protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect. (CVE-2018-12123)
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access. (CVE-2018-7160)
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS Boron), 8.x (LTS Carbon), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable. (CVE-2018-7167)
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1. (CVE-2019-5737)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4796-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(183156);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/16");
script_cve_id(
"CVE-2016-7099",
"CVE-2017-1000381",
"CVE-2018-7160",
"CVE-2018-7167",
"CVE-2018-12115",
"CVE-2018-12116",
"CVE-2018-12122",
"CVE-2018-12123",
"CVE-2019-5737"
);
script_xref(name:"USN", value:"4796-1");
script_name(english:"Ubuntu 16.04 ESM / 18.04 ESM : Node.js vulnerabilities (USN-4796-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as
referenced in the USN-4796-1 advisory.
- The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before
4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which
allows man-in-the-middle attackers to spoof servers via a crafted certificate. (CVE-2016-7099)
- The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be
triggered to read memory outside of the given input buffer if the passed in DNS response packet was
crafted in a particular way. (CVE-2017-1000381)
- In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by
Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused
to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of
a buffer cause a miscalculation of the maximum length of the input bytes to be written. (CVE-2018-12115)
- Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be
convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then
data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the
same server. (CVE-2018-12116)
- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of
Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or
HTTPS connections and associated resources alive for a long period of time. (CVE-2018-12122)
- Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser
for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that
hostname can be spoofed by using a mixed case javascript: (e.g. javAscript:) protocol (other protocols
are not affected). If security decisions are made about the URL based on the hostname, they may be
incorrect. (CVE-2018-12123)
- The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited
to perform remote code execution. An attack is possible from malicious websites open in a web browser on
the same computer, or another computer with network access to the computer running the Node.js process. A
malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy
checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process
with the debug port active is running on localhost or on a host on the local network, the malicious
website could connect to it as a debugger, and get full code execution access. (CVE-2018-7160)
- Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a
Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and
Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of
Node.js 6.x (LTS Boron), 8.x (LTS Carbon), and 9.x are vulnerable. All versions of Node.js 10.x
(Current) are NOT vulnerable. (CVE-2018-7167)
- In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1,
an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive
mode and by sending headers very slowly. This keeps the connection and associated resources alive for a
long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js
release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before
11.10.1. (CVE-2019-5737)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4796-1");
script_set_attribute(attribute:"solution", value:
"Update the affected nodejs, nodejs-dev and / or nodejs-legacy packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7160");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/13");
script_set_attribute(attribute:"patch_publication_date", value:"2021/03/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:esm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-legacy");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '16.04', 'pkgname': 'nodejs', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm1'},
{'osver': '16.04', 'pkgname': 'nodejs-dev', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm1'},
{'osver': '16.04', 'pkgname': 'nodejs-legacy', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm1'},
{'osver': '18.04', 'pkgname': 'nodejs', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm1'},
{'osver': '18.04', 'pkgname': 'nodejs-dev', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-dev / nodejs-legacy');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:esm |
canonical | ubuntu_linux | 18.04 | cpe:/o:canonical:ubuntu_linux:18.04:-:esm |
canonical | ubuntu_linux | nodejs | p-cpe:/a:canonical:ubuntu_linux:nodejs |
canonical | ubuntu_linux | nodejs-dev | p-cpe:/a:canonical:ubuntu_linux:nodejs-dev |
canonical | ubuntu_linux | nodejs-legacy | p-cpe:/a:canonical:ubuntu_linux:nodejs-legacy |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7099
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12115
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12122
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12123
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7167
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737
ubuntu.com/security/notices/USN-4796-1