The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python packages installed that are affected by multiple vulnerabilities:
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. (CVE-2020-26137)
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. (CVE-2021-3177)
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like ‘\r’ and ‘\n’ in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14. (CVE-2022-0391)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2023-0008. The text
# itself is copyright (C) ZTE, Inc.
##
include('compat.inc');
if (description)
{
script_id(174086);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/27");
script_cve_id(
"CVE-2020-26116",
"CVE-2020-26137",
"CVE-2021-3177",
"CVE-2022-0391"
);
script_xref(name:"IAVA", value:"2021-A-0052-S");
script_xref(name:"IAVA", value:"2020-A-0340-S");
script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : python Multiple Vulnerabilities (NS-SA-2023-0008)");
script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python packages installed that are affected by
multiple vulnerabilities:
- http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5
allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR
and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)
- urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as
demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this
is similar to CVE-2020-26116. (CVE-2020-26137)
- Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to
remote code execution in certain Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used
unsafely. (CVE-2021-3177)
- A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform
Resource Locator (URL) strings into components. The issue involves how the urlparse method does not
sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to
input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1,
3.9.5, 3.8.11, 3.7.11 and 3.6.14. (CVE-2022-0391)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2023-0008");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/info/CVE-2020-26116");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/info/CVE-2020-26137");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/info/CVE-2021-3177");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/info/CVE-2022-0391");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL python packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3177");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/30");
script_set_attribute(attribute:"patch_publication_date", value:"2023/04/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:python");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:python-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:python-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:python-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:python-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:python-test");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:python-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_core:tkinter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-test");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:tkinter");
script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_core:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:5");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(os_release) || os_release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');
if (os_release !~ "CGSL CORE 5.05" &&
os_release !~ "CGSL MAIN 5.05")
audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');
if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);
var flag = 0;
var pkgs = {
'CGSL CORE 5.05': [
'python-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite',
'python-debug-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite',
'python-debuginfo-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite',
'python-devel-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite',
'python-libs-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite',
'python-test-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite',
'python-tools-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite',
'tkinter-2.7.5-92.el7_9.cgslv5_5.0.2.gaa5a806.lite'
],
'CGSL MAIN 5.05': [
'python-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a',
'python-debug-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a',
'python-debuginfo-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a',
'python-devel-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a',
'python-libs-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a',
'python-test-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a',
'python-tools-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a',
'tkinter-2.7.5-92.el7_9.cgslv5_5.0.2.g85b8c1a'
]
};
var pkg_list = pkgs[os_release];
foreach (pkg in pkg_list)
if (rpm_check(release:'ZTE ' + os_release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0391
security.gd-linux.com/info/CVE-2020-26116
security.gd-linux.com/info/CVE-2020-26137
security.gd-linux.com/info/CVE-2021-3177
security.gd-linux.com/info/CVE-2022-0391
security.gd-linux.com/notice/NS-SA-2023-0008