Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : Node.js vulnerabilities (USN-6735-1)

2024-04-1600:00:00

www.tenable.com

ubuntu

node.js

vulnerabilities

14.04

16.04

18.04

20.04

22.04

23.10

advisory

dos

http request smuggling

crypto

cve-2023-30588

cve-2023-30589

cve-2023-30590

nessus

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.3 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

40.3%

JSON

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6735-1 advisory.

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 (CVE-2023-30589)
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: Generates private and public Diffie-Hellman key values. The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application- level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6735-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(193361);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/16");

  script_cve_id("CVE-2023-30588", "CVE-2023-30589", "CVE-2023-30590");
  script_xref(name:"USN", value:"6735-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : Node.js vulnerabilities (USN-6735-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are
affected by multiple vulnerabilities as referenced in the USN-6735-1 advisory.

  - When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a
    non-expect termination occurs making it susceptible to DoS attacks when the attacker could force
    interruptions of application processing, as the process terminates when accessing public key info of
    provided certificates from user code. The current context of the users will be gone, and that will cause a
    DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)

  - The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit
    HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient
    to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence
    should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
    (CVE-2023-30589)

  - The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or
    outdated) keys, that is, it only generates a private key if none has been set yet, but the function is
    also needed to compute the corresponding public key after calling setPrivateKey(). However, the
    documentation says this API call: Generates private and public Diffie-Hellman key values. The documented
    behavior is very different from the actual behavior, and this difference could easily lead to security
    issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-
    level security, implications are consequently broad. (CVE-2023-30590)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6735-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-30590");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode108");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode72");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-legacy");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release || '16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release || '23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04 / 18.04 / 20.04 / 22.04 / 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '14.04', 'pkgname': 'nodejs', 'pkgver': '0.10.25~dfsg2-2ubuntu1.2+esm2'},
    {'osver': '14.04', 'pkgname': 'nodejs-dev', 'pkgver': '0.10.25~dfsg2-2ubuntu1.2+esm2'},
    {'osver': '14.04', 'pkgname': 'nodejs-legacy', 'pkgver': '0.10.25~dfsg2-2ubuntu1.2+esm2'},
    {'osver': '16.04', 'pkgname': 'nodejs', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm3'},
    {'osver': '16.04', 'pkgname': 'nodejs-dev', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm3'},
    {'osver': '16.04', 'pkgname': 'nodejs-legacy', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm3'},
    {'osver': '18.04', 'pkgname': 'nodejs', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm5'},
    {'osver': '18.04', 'pkgname': 'nodejs-dev', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm5'},
    {'osver': '20.04', 'pkgname': 'libnode-dev', 'pkgver': '10.19.0~dfsg-3ubuntu1.6'},
    {'osver': '20.04', 'pkgname': 'libnode64', 'pkgver': '10.19.0~dfsg-3ubuntu1.6'},
    {'osver': '20.04', 'pkgname': 'nodejs', 'pkgver': '10.19.0~dfsg-3ubuntu1.6'},
    {'osver': '22.04', 'pkgname': 'libnode-dev', 'pkgver': '12.22.9~dfsg-1ubuntu3.5'},
    {'osver': '22.04', 'pkgname': 'libnode72', 'pkgver': '12.22.9~dfsg-1ubuntu3.5'},
    {'osver': '22.04', 'pkgname': 'nodejs', 'pkgver': '12.22.9~dfsg-1ubuntu3.5'},
    {'osver': '23.10', 'pkgname': 'libnode-dev', 'pkgver': '18.13.0+dfsg1-1ubuntu2.2'},
    {'osver': '23.10', 'pkgname': 'libnode108', 'pkgver': '18.13.0+dfsg1-1ubuntu2.2'},
    {'osver': '23.10', 'pkgname': 'nodejs', 'pkgver': '18.13.0+dfsg1-1ubuntu2.2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libnode-dev / libnode108 / libnode64 / libnode72 / nodejs / etc');
}

VendorProductVersionCPE
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:lts
canonicalubuntu_linux18.04cpe:/o:canonical:ubuntu_linux:18.04:-:lts
canonicalubuntu_linux20.04cpe:/o:canonical:ubuntu_linux:20.04:-:lts
canonicalubuntu_linux22.04cpe:/o:canonical:ubuntu_linux:22.04:-:lts
canonicalubuntu_linux23.10cpe:/o:canonical:ubuntu_linux:23.10
canonicalubuntu_linuxlibnode-devp-cpe:/a:canonical:ubuntu_linux:libnode-dev
canonicalubuntu_linuxlibnode108p-cpe:/a:canonical:ubuntu_linux:libnode108
canonicalubuntu_linuxlibnode64p-cpe:/a:canonical:ubuntu_linux:libnode64
canonicalubuntu_linuxlibnode72p-cpe:/a:canonical:ubuntu_linux:libnode72

Vendor	Product	Version	CPE
canonical	ubuntu_linux	14.04	cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonical	ubuntu_linux	16.04	cpe:/o:canonical:ubuntu_linux:16.04:-:lts
canonical	ubuntu_linux	18.04	cpe:/o:canonical:ubuntu_linux:18.04:-:lts
canonical	ubuntu_linux	20.04	cpe:/o:canonical:ubuntu_linux:20.04:-:lts
canonical	ubuntu_linux	22.04	cpe:/o:canonical:ubuntu_linux:22.04:-:lts
canonical	ubuntu_linux	23.10	cpe:/o:canonical:ubuntu_linux:23.10
canonical	ubuntu_linux	libnode-dev	p-cpe:/a:canonical:ubuntu_linux:libnode-dev
canonical	ubuntu_linux	libnode108	p-cpe:/a:canonical:ubuntu_linux:libnode108
canonical	ubuntu_linux	libnode64	p-cpe:/a:canonical:ubuntu_linux:libnode64
canonical	ubuntu_linux	libnode72	p-cpe:/a:canonical:ubuntu_linux:libnode72