7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
40.3%
The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6735-1 advisory.
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 (CVE-2023-30589)
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: Generates private and public Diffie-Hellman key values. The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application- level security, implications are consequently broad. (CVE-2023-30590)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6735-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(193361);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/16");
script_cve_id("CVE-2023-30588", "CVE-2023-30589", "CVE-2023-30590");
script_xref(name:"USN", value:"6735-1");
script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : Node.js vulnerabilities (USN-6735-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are
affected by multiple vulnerabilities as referenced in the USN-6735-1 advisory.
- When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a
non-expect termination occurs making it susceptible to DoS attacks when the attacker could force
interruptions of application processing, as the process terminates when accessing public key info of
provided certificates from user code. The current context of the users will be gone, and that will cause a
DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. (CVE-2023-30588)
- The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit
HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient
to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence
should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
(CVE-2023-30589)
- The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or
outdated) keys, that is, it only generates a private key if none has been set yet, but the function is
also needed to compute the corresponding public key after calling setPrivateKey(). However, the
documentation says this API call: Generates private and public Diffie-Hellman key values. The documented
behavior is very different from the actual behavior, and this difference could easily lead to security
issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-
level security, implications are consequently broad. (CVE-2023-30590)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6735-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-30590");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/20");
script_set_attribute(attribute:"patch_publication_date", value:"2024/04/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode108");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnode72");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs-legacy");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release || '16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release || '23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04 / 18.04 / 20.04 / 22.04 / 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '14.04', 'pkgname': 'nodejs', 'pkgver': '0.10.25~dfsg2-2ubuntu1.2+esm2'},
{'osver': '14.04', 'pkgname': 'nodejs-dev', 'pkgver': '0.10.25~dfsg2-2ubuntu1.2+esm2'},
{'osver': '14.04', 'pkgname': 'nodejs-legacy', 'pkgver': '0.10.25~dfsg2-2ubuntu1.2+esm2'},
{'osver': '16.04', 'pkgname': 'nodejs', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm3'},
{'osver': '16.04', 'pkgname': 'nodejs-dev', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm3'},
{'osver': '16.04', 'pkgname': 'nodejs-legacy', 'pkgver': '4.2.6~dfsg-1ubuntu4.2+esm3'},
{'osver': '18.04', 'pkgname': 'nodejs', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm5'},
{'osver': '18.04', 'pkgname': 'nodejs-dev', 'pkgver': '8.10.0~dfsg-2ubuntu0.4+esm5'},
{'osver': '20.04', 'pkgname': 'libnode-dev', 'pkgver': '10.19.0~dfsg-3ubuntu1.6'},
{'osver': '20.04', 'pkgname': 'libnode64', 'pkgver': '10.19.0~dfsg-3ubuntu1.6'},
{'osver': '20.04', 'pkgname': 'nodejs', 'pkgver': '10.19.0~dfsg-3ubuntu1.6'},
{'osver': '22.04', 'pkgname': 'libnode-dev', 'pkgver': '12.22.9~dfsg-1ubuntu3.5'},
{'osver': '22.04', 'pkgname': 'libnode72', 'pkgver': '12.22.9~dfsg-1ubuntu3.5'},
{'osver': '22.04', 'pkgname': 'nodejs', 'pkgver': '12.22.9~dfsg-1ubuntu3.5'},
{'osver': '23.10', 'pkgname': 'libnode-dev', 'pkgver': '18.13.0+dfsg1-1ubuntu2.2'},
{'osver': '23.10', 'pkgname': 'libnode108', 'pkgver': '18.13.0+dfsg1-1ubuntu2.2'},
{'osver': '23.10', 'pkgname': 'nodejs', 'pkgver': '18.13.0+dfsg1-1ubuntu2.2'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libnode-dev / libnode108 / libnode64 / libnode72 / nodejs / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:lts |
canonical | ubuntu_linux | 18.04 | cpe:/o:canonical:ubuntu_linux:18.04:-:lts |
canonical | ubuntu_linux | 20.04 | cpe:/o:canonical:ubuntu_linux:20.04:-:lts |
canonical | ubuntu_linux | 22.04 | cpe:/o:canonical:ubuntu_linux:22.04:-:lts |
canonical | ubuntu_linux | 23.10 | cpe:/o:canonical:ubuntu_linux:23.10 |
canonical | ubuntu_linux | libnode-dev | p-cpe:/a:canonical:ubuntu_linux:libnode-dev |
canonical | ubuntu_linux | libnode108 | p-cpe:/a:canonical:ubuntu_linux:libnode108 |
canonical | ubuntu_linux | libnode64 | p-cpe:/a:canonical:ubuntu_linux:libnode64 |
canonical | ubuntu_linux | libnode72 | p-cpe:/a:canonical:ubuntu_linux:libnode72 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
40.3%