CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
78.0%
The version of edk2 / hvloader / cloud-hypervisor / rust / openssl installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-0215 advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(201666);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/03");
script_cve_id("CVE-2023-0215");
script_xref(name:"IAVA", value:"2022-A-0518-S");
script_xref(name:"IAVA", value:"2023-A-0462-S");
script_name(english:"CBL Mariner 2.0 Security Update: edk2 / hvloader / cloud-hypervisor / rust / openssl (CVE-2023-0215)");
script_set_attribute(attribute:"synopsis", value:
"The remote CBL Mariner host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of edk2 / hvloader / cloud-hypervisor / rust / openssl installed on the remote CBL Mariner 2.0 host is prior
to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-0215 advisory.
- The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is
primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may
also be called directly by end user applications. The function receives a BIO from the caller, prepends a
new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the
BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid,
the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this
case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal
pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then
a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the
internal function B64_write_ASN1() which May cause BIO_new_NDEF() to be called and will subsequently call
BIO_pop() on the BIO. This internal function is in turn called by the public API functions
PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1,
SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that May be impacted by this include
i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL
cms and smime command line applications are similarly affected. (CVE-2023-0215)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-0215");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-0215");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/03");
script_set_attribute(attribute:"patch_publication_date", value:"2024/07/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cloud-hypervisor");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:hvloader");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:openssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:openssl-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:openssl-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:openssl-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:openssl-perl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:openssl-static");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:rust");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:rust-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:rust-doc");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:cbl-mariner");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MarinerOS Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/CBLMariner/release", "Host/CBLMariner/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/CBLMariner/release');
if (isnull(release) || 'CBL-Mariner' >!< release) audit(AUDIT_OS_NOT, 'CBL-Mariner');
var os_ver = pregmatch(pattern: "CBL-Mariner ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CBL-Mariner');
os_ver = os_ver[1];
if (! preg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'CBL-Mariner 2.0', 'CBL-Mariner ' + os_ver);
if (!get_kb_item('Host/CBLMariner/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CBL-Mariner', cpu);
var pkgs = [
{'reference':'cloud-hypervisor-30.0-2.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hvloader-1.0.1-3.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-1.1.1k-21.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-1.1.1k-21.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-debuginfo-1.1.1k-21.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-debuginfo-1.1.1k-21.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-devel-1.1.1k-21.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-devel-1.1.1k-21.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-libs-1.1.1k-21.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-libs-1.1.1k-21.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-perl-1.1.1k-21.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-perl-1.1.1k-21.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-static-1.1.1k-21.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'openssl-static-1.1.1k-21.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-1.72.0-2.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-1.72.0-2.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debuginfo-1.72.0-2.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-debuginfo-1.72.0-2.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-doc-1.72.0-2.cm2', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'rust-doc-1.72.0-2.cm2', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'CBLMariner-' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cloud-hypervisor / hvloader / openssl / openssl-debuginfo / etc');
}
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
78.0%