Vulnerabilities > CVE-2020-1967 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH

Summary

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

Vulnerable Configurations

Part Description Count
Application
Openssl
3
Application
Oracle
685
Application
Netapp
14
Application
Jdedwards
2
Application
Tenable
5
OS
Debian
2
OS
Freebsd
1
OS
Fedoraproject
3
OS
Broadcom
1
OS
Opensuse
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E84831158B8E11EABDCF001B217B3468.NASL
    descriptionGitlab reports : Path Traversal in NuGet Package Registry Workhorse Bypass Leads to File Disclosure OAuth Application Client Secrets Revealed Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes Code Owners Protection Not Enforced from Web UI Repository Mirror Passwords Exposed To Maintainers Admin Audit Log Page Denial of Service Private Project ID Revealed Through Group API Elasticsearch Credentials Logged to ELK GitHub Personal Access Token Exposed on Integrations Page Update Nokogiri dependency Update OpenSSL Dependency Update git
    last seen2020-05-15
    modified2020-05-04
    plugin id136304
    published2020-05-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136304
    titleFreeBSD : Gitlab -- Multiple Vulnerabilities (e8483115-8b8e-11ea-bdcf-001b217b3468)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136304);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");
    
      script_cve_id("CVE-2020-10187", "CVE-2020-11008", "CVE-2020-12448", "CVE-2020-1967", "CVE-2020-7595");
      script_xref(name:"IAVA", value:"2020-A-0186");
    
      script_name(english:"FreeBSD : Gitlab -- Multiple Vulnerabilities (e8483115-8b8e-11ea-bdcf-001b217b3468)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Gitlab reports :
    
    Path Traversal in NuGet Package Registry
    
    Workhorse Bypass Leads to File Disclosure
    
    OAuth Application Client Secrets Revealed
    
    Code Owners Approval Rules Are Not Updated for Existing Merge Requests
    When Source Branch Changes
    
    Code Owners Protection Not Enforced from Web UI
    
    Repository Mirror Passwords Exposed To Maintainers
    
    Admin Audit Log Page Denial of Service
    
    Private Project ID Revealed Through Group API
    
    Elasticsearch Credentials Logged to ELK
    
    GitHub Personal Access Token Exposed on Integrations Page
    
    Update Nokogiri dependency
    
    Update OpenSSL Dependency
    
    Update git"
      );
      # https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?dac5e06d"
      );
      # https://vuxml.freebsd.org/freebsd/e8483115-8b8e-11ea-bdcf-001b217b3468.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a57444f0"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12448");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gitlab-ce");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"gitlab-ce>=12.10.0<12.10.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"gitlab-ce>=12.9.0<12.9.5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"gitlab-ce>=8.4.0<12.8.10")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202004-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202004-10 (OpenSSL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could perform a malicious crafted TLS 1.3 handshake against an application using OpenSSL, possibly resulting in a Denial of Service condition. In addition, it&rsquo;s feasible that an attacker might attack DH512. Workaround : There is no known workaround at this time.
    last seen2020-05-09
    modified2020-04-24
    plugin id135946
    published2020-04-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135946
    titleGLSA-202004-10 : OpenSSL: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 202004-10.
    #
    # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135946);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2019-1551", "CVE-2020-1967");
      script_xref(name:"GLSA", value:"202004-10");
      script_xref(name:"IAVA", value:"2020-A-0186");
    
      script_name(english:"GLSA-202004-10 : OpenSSL: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-202004-10
    (OpenSSL: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in OpenSSL. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker could perform a malicious crafted TLS 1.3 handshake
          against an application using OpenSSL, possibly resulting in a Denial of
          Service condition.
        In addition, it&rsquo;s feasible that an attacker might attack DH512.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/202004-10"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All OpenSSL users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=dev-libs/openssl-1.1.1g'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/24");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-libs/openssl", unaffected:make_list("ge 1.1.1g"), vulnerable:make_list("lt 1.1.1g"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSL");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_012809CE83F311EA92AB00163E433440.NASL
    descriptionServer or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the
    last seen2020-05-09
    modified2020-04-22
    plugin id135880
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135880
    titleFreeBSD : OpenSSL remote denial of service vulnerability (012809ce-83f3-11ea-92ab-00163e433440)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135880);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2020-1967");
      script_xref(name:"FreeBSD", value:"SA-20:11.openssl");
      script_xref(name:"IAVA", value:"2020-A-0186");
    
      script_name(english:"FreeBSD : OpenSSL remote denial of service vulnerability (012809ce-83f3-11ea-92ab-00163e433440)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Server or client applications that call the SSL_check_chain() function
    during or after a TLS 1.3 handshake may crash due to a NULL pointer
    dereference as a result of incorrect handling of the
    'signature_algorithms_cert' TLS extension. The crash occurs if an
    invalid or unrecognized signature algorithm is received from the peer.
    Impact : A malicious peer could exploit the NULL pointer dereference
    crash, causing a denial of service attack."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.openssl.org/news/secadv/20200421.txt"
      );
      # https://vuxml.freebsd.org/freebsd/012809ce-83f3-11ea-92ab-00163e433440.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8ba68bae"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1967");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/22");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"openssl>=1.1.1,1<1.1.1g,1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWeb Servers
    NASL idOPENSSL_1_1_1G.NASL
    descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1.1.1g advisory. - Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). (CVE-2020-1967) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-09
    modified2020-04-23
    plugin id135919
    published2020-04-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135919
    titleOpenSSL 1.1.1 < 1.1.1g Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135919);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2020-1967");
      script_xref(name:"IAVA", value:"2020-A-0186");
    
      script_name(english:"OpenSSL 1.1.1 < 1.1.1g Vulnerability");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote service is affected by a vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a
    vulnerability as referenced in the 1.1.1g advisory.
    
      - Server or client applications that call the
        SSL_check_chain() function during or after a TLS 1.3
        handshake may crash due to a NULL pointer dereference as
        a result of incorrect handling of the
        signature_algorithms_cert TLS extension. The crash
        occurs if an invalid or unrecognised signature algorithm
        is received from the peer. This could be exploited by a
        malicious peer in a Denial of Service attack. OpenSSL
        version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this
        issue. This issue did not affect OpenSSL versions prior
        to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected
        1.1.1d-1.1.1f). (CVE-2020-1967)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      # https://github.com/openssl/openssl/commit/eb563247aef3e83dda7679c43f9649270462e5b1
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5929f842");
      script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20200421.txt");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to OpenSSL version 1.1.1g or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1967");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/23");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("openssl_version.nasl");
      script_require_keys("openssl/port");
    
      exit(0);
    }
    
    include("openssl_version.inc");
    
    openssl_check_version(fixed:"1.1.1g", min:"1.1.1d", severity:SECURITY_WARNING);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4661.NASL
    descriptionBernd Edlinger discovered that malformed data passed to the SSL_check_chain() function during or after a TLS 1.3 handshake could cause a NULL dereference, resulting in denial of service. The oldstable distribution (stretch) is not affected.
    last seen2020-05-09
    modified2020-04-22
    plugin id135879
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135879
    titleDebian DSA-4661-1 : openssl - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4661. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135879);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2020-1967");
      script_xref(name:"DSA", value:"4661");
      script_xref(name:"IAVA", value:"2020-A-0186");
    
      script_name(english:"Debian DSA-4661-1 : openssl - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Bernd Edlinger discovered that malformed data passed to the
    SSL_check_chain() function during or after a TLS 1.3 handshake could
    cause a NULL dereference, resulting in denial of service.
    
    The oldstable distribution (stretch) is not affected."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/openssl"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/buster/openssl"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2020/dsa-4661"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the openssl packages.
    
    For the stable distribution (buster), this problem has been fixed in
    version 1.1.1d-0+deb10u3."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1967");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/22");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"10.0", prefix:"libcrypto1.1-udeb", reference:"1.1.1d-0+deb10u3")) flag++;
    if (deb_check(release:"10.0", prefix:"libssl-dev", reference:"1.1.1d-0+deb10u3")) flag++;
    if (deb_check(release:"10.0", prefix:"libssl-doc", reference:"1.1.1d-0+deb10u3")) flag++;
    if (deb_check(release:"10.0", prefix:"libssl1.1", reference:"1.1.1d-0+deb10u3")) flag++;
    if (deb_check(release:"10.0", prefix:"libssl1.1-udeb", reference:"1.1.1d-0+deb10u3")) flag++;
    if (deb_check(release:"10.0", prefix:"openssl", reference:"1.1.1d-0+deb10u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0082_NXTGN.NASL
    descriptionAn update of the nxtgn package has been released.
    last seen2020-05-09
    modified2020-04-22
    plugin id135873
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135873
    titlePhoton OS 3.0: Nxtgn PHSA-2020-3.0-0082
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-3.0-0082. The text
    # itself is copyright (C) VMware, Inc.
    
    
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135873);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2020-1967");
      script_xref(name:"IAVA", value:"2020-A-0186");
    
      script_name(english:"Photon OS 3.0: Nxtgn PHSA-2020-3.0-0082");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the nxtgn package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-82.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1967");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/22");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:nxtgn");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"nxtgn-openssl-1.1.1d-3.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"nxtgn-openssl-c_rehash-1.1.1d-3.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"nxtgn-openssl-debuginfo-1.1.1d-3.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"nxtgn-openssl-devel-1.1.1d-3.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"nxtgn-openssl-perl-1.1.1d-3.ph3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nxtgn");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-D7B29838F6.NASL
    descriptionUpdate to version 1.1.1g from upstream fixing possible remote DoS security issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-15
    modified2020-05-11
    plugin id136439
    published2020-05-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136439
    titleFedora 31 : 1:openssl (2020-d7b29838f6)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2020-d7b29838f6.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136439);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");
    
      script_cve_id("CVE-2019-1551", "CVE-2020-1967");
      script_xref(name:"FEDORA", value:"2020-d7b29838f6");
      script_xref(name:"IAVA", value:"2020-A-0186");
    
      script_name(english:"Fedora 31 : 1:openssl (2020-d7b29838f6)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to version 1.1.1g from upstream fixing possible remote DoS
    security issue.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2020-d7b29838f6"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 1:openssl package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1551");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC31", reference:"openssl-1.1.1g-1.fc31", epoch:"1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:openssl");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1613.NASL
    descriptionAccording to the version of the openssl111d packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the
    last seen2020-06-06
    modified2020-06-02
    plugin id137031
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137031
    titleEulerOS 2.0 SP5 : openssl111d (EulerOS-SA-2020-1613)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-1058-1.NASL
    descriptionThis update for openssl-1_1 fixes the following issues : CVE-2020-1967: Fixed a denial of service via NULL pointer dereference in SSL_check_chain (bsc#1169407). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-04-22
    plugin id135893
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135893
    titleSUSE SLES12 Security Update : openssl-1_1 (SUSE-SU-2020:1058-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-DA2D1EF2D7.NASL
    descriptionUpdate to version 1.1.1g from upstream fixing possible remote DoS security issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-09
    modified2020-04-30
    plugin id136155
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136155
    titleFedora 30 : 1:openssl (2020-da2d1ef2d7)

References