CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
99.5%
The version of AOS installed on the remote host is prior to 5.19.1.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.19.1.5 advisory.
Net-SNMP through 5.8 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862)
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)
A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)
The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi- byte input sequences in the EUC-KR encoding, may have a buffer over-read. (CVE-2019-25013)
The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. (CVE-2020-10029)
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack- based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of Fixed for glibc 2.33 in the 26649 reference.
(CVE-2020-29573)
Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.
(CVE-2020-15436)
A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if both simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to the NFS could use this flaw to starve the resources causing denial of service. (CVE-2020-35513)
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. (CVE-2020-10543)
Perl before 5.30.3 has an integer overflow related to mishandling of a PL_regkind[OP(n)] == NOTHING situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. (CVE-2020-10878)
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. (CVE-2020-12723)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(164609);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/07");
script_cve_id(
"CVE-2019-25013",
"CVE-2020-10029",
"CVE-2020-10543",
"CVE-2020-10878",
"CVE-2020-12723",
"CVE-2020-15436",
"CVE-2020-15862",
"CVE-2020-29573",
"CVE-2020-35513",
"CVE-2021-3156"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/27");
script_xref(name:"CEA-ID", value:"CEA-2021-0004");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_name(english:"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.1.5)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AOS host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AOS installed on the remote host is prior to 5.19.1.5. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AOS-5.19.1.5 advisory.
- Net-SNMP through 5.8 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB
provides the ability to run arbitrary commands as root. (CVE-2020-15862)
- Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which
allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single
backslash character. (CVE-2021-3156)
- A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is
exploitable by any local user who can execute the sudo command without authentication. Successful
exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)
- The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-
byte input sequences in the EUC-KR encoding, may have a buffer over-read. (CVE-2019-25013)
- The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range
reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when
passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to
sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. (CVE-2020-10029)
- sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-
based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with
a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to
sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because
of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words,
the reference to 2.23 is intentional despite the mention of Fixed for glibc 2.33 in the 26649 reference.
(CVE-2020-29573)
- Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain
privileges or cause a denial of service by leveraging improper access to a certain error field.
(CVE-2020-15436)
- A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system)
functionality was found in the way user create and delete object using NFSv4.2 or newer if both
simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to
the NFS could use this flaw to starve the resources causing denial of service. (CVE-2020-35513)
- Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular
expression quantifiers have an integer overflow. (CVE-2020-10543)
- Perl before 5.30.3 has an integer overflow related to mishandling of a PL_regkind[OP(n)] == NOTHING
situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction
injection. (CVE-2020-10878)
- regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of
recursive S_study_chunk calls. (CVE-2020-12723)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.19.1.5
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?51f492e8");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AOS software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-10878");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Sudo Heap-Based Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/04");
script_set_attribute(attribute:"patch_publication_date", value:"2022/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:aos");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/lts", "Host/Nutanix/Data/Service", "Host/Nutanix/Data/Version", "Host/Nutanix/Data/arch");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info();
var constraints = [
{ 'fixed_version' : '5.19.1.5', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.19.1.5 or higher.', 'lts' : FALSE },
{ 'fixed_version' : '5.19.1.5', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.19.1.5 or higher.', 'lts' : FALSE }
];
vcf::nutanix::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25013
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10029
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10543
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10878
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12723
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29573
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35513
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
www.nessus.org/u?51f492e8
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
99.5%