CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
39.9%
According to the versions of the libuv package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
uv_getaddrinfo
function in src/unix/getaddrinfo.c
(and its windows counterpart src/win/getaddrinfo.c
), truncates hostnames to 256 characters before calling getaddrinfo
. This behavior can be exploited to create addresses like 0x00007f000001
, which are considered valid by getaddrinfo
and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the hostname_ascii
variable (with a length of 256 bytes) is handled in uv_getaddrinfo
and subsequently in uv__idna_toascii
. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have username.example.com
pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username.Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(195241);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/09");
script_cve_id("CVE-2024-24806");
script_name(english:"EulerOS 2.0 SP10 : libuv (EulerOS-SA-2024-1594)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing a security update.");
script_set_attribute(attribute:"description", value:
"According to the versions of the libuv package installed, the EulerOS installation on the remote host is affected by the
following vulnerabilities :
- libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function
in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to
256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like
`0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft
payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due
to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and
subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a
terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar
to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache
these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username.
This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known
workarounds for this vulnerability. (CVE-2024-24806)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-1594
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fc1c4ba1");
script_set_attribute(attribute:"solution", value:
"Update the affected libuv packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-24806");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/07");
script_set_attribute(attribute:"patch_publication_date", value:"2024/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libuv");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");
var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(10)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"libuv-1.38.1-2.h3.eulerosv2r10"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"10", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libuv");
}
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
39.9%