According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is running 5.22.0 or 5.23.1 and is therefore affected by multiple vulnerabilities in curl starting with 7.77.0 and before 7.86.0:
- If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. (CVE-2022-42915)
- In curl the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. (CVE-2022-42916)
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(171869);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/16");
script_cve_id("CVE-2022-42915", "CVE-2022-42916");
script_xref(name:"IAVA", value:"2023-A-0059-S");
script_name(english:"Tenable SecurityCenter 5.22.0 / 5.23.1 Multiple Vulnerabilities (TNS-2023-05)");
script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is
running 5.22.0 or 5.23.1 and is therefore affected by multiple vulnerabilities in curl starting with 7.77.0 and
before 7.86.0:
- If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection
to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol
through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to
specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to
flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes
were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. (CVE-2022-42915)
- In curl the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be
instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided
in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get
replaced with ASCII counterparts as part of the IDN conversion. (CVE-2022-42916)");
script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2023-05");
# https://docs.tenable.com/releasenotes/Content/tenablesc/tenablesc2023.htm#2023023
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c126983d");
script_set_attribute(attribute:"solution", value:
"Apply the security patch referenced in the vendor advisory.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-42916");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-42915");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/21");
script_set_attribute(attribute:"patch_publication_date", value:"2023/02/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("securitycenter_installed.nbin");
script_require_ports("installed_sw/SecurityCenter");
exit(0);
}
include('vcf_extras.inc');
var patches = make_list('SC-202302.3');
var app_info = vcf::tenable_sc::get_app_info();
vcf::tenable_sc::check_for_patch(app_info:app_info, patches:patches);
var constraints = [
{ 'min_version' : '5.22.0', 'max_version': '5.23.1', 'fixed_display' : 'Apply Patch SC-202302.3'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);