Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact.

The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20230302.2024 advisory.

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. (CVE-2022-48624)

  - libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are     required in the case of a large token for which multiple buffer fills are needed. (CVE-2023-52425)

  - An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might     erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the     `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request     which used that callback. This flaw may surprise the application and cause it to misbehave and either send     off the wrong data or use memory after free or similar in the second transfer. The problem exists in the     logic for a reused handle when it is (expected to be) changed from a PUT to a POST. (CVE-2023-28322)

  - This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the     specific series of conditions are met. libcurl performs transfers. In its API, an application creates     easy handles that are the individual handles for single transfers. libcurl provides a function call that     duplicates en easy handle called     [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies     enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the     actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned     version of the handle would instead store the file name as `none` (using the four ASCII letters, no     quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from     would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in     the current directory of the program using libcurl. And if using the correct file format of course.
    (CVE-2023-38546)

  - CVE-2023-38546 is a cookie injection vulnerability in the curl_easy_duphandle(), a function in libcurl     that duplicates easy handles.  When duplicating an easy handle, if cookies are enabled, the duplicated     easy handle will not duplicate the cookies themselves, but would instead set the filename to none.'     Therefore, when the duplicated easy handle is subsequently used, if a source was not set for the cookies,     libcurl would attempt to load them from the file named none' on the disk.  This vulnerability is rated     low, as the various conditions required for exploitation are unlikely.  (CVE-2023-38546)

  - This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more     origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get     sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in     curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a     cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though     `co.uk` is listed as a PSL domain. (CVE-2023-46218)

  - libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c.
    (CVE-2020-28241)

  - Multiple NSS NIST curves were susceptible to a side-channel attack known as Minerva. This attack could     potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.
    (CVE-2023-6135)

  - Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact. (CVE-2021-41043)

  - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other     products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the     extension negotiation message), and a client and server may consequently end up with a connection for     which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because     the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and     mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of     ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and     (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API     before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80,     AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0,     Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15,     SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH     through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang     XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd     through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and     LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3,     Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server     before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the     mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh     crate before 0.40.2 for Rust. (CVE-2023-48795)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20230302.100187 advisory.

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. (CVE-2022-48624)

  - libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are     required in the case of a large token for which multiple buffer fills are needed. (CVE-2023-52425)

  - An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might     erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the     `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request     which used that callback. This flaw may surprise the application and cause it to misbehave and either send     off the wrong data or use memory after free or similar in the second transfer. The problem exists in the     logic for a reused handle when it is (expected to be) changed from a PUT to a POST. (CVE-2023-28322)

  - This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the     specific series of conditions are met. libcurl performs transfers. In its API, an application creates     easy handles that are the individual handles for single transfers. libcurl provides a function call that     duplicates en easy handle called     [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies     enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the     actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned     version of the handle would instead store the file name as `none` (using the four ASCII letters, no     quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from     would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in     the current directory of the program using libcurl. And if using the correct file format of course.
    (CVE-2023-38546)

  - CVE-2023-38546 is a cookie injection vulnerability in the curl_easy_duphandle(), a function in libcurl     that duplicates easy handles.  When duplicating an easy handle, if cookies are enabled, the duplicated     easy handle will not duplicate the cookies themselves, but would instead set the filename to none.'     Therefore, when the duplicated easy handle is subsequently used, if a source was not set for the cookies,     libcurl would attempt to load them from the file named none' on the disk.  This vulnerability is rated     low, as the various conditions required for exploitation are unlikely.  (CVE-2023-38546)

  - This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more     origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get     sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in     curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a     cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though     `co.uk` is listed as a PSL domain. (CVE-2023-46218)

  - libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c.
    (CVE-2020-28241)

  - Multiple NSS NIST curves were susceptible to a side-channel attack known as Minerva. This attack could     potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.
    (CVE-2023-6135)

  - Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact. (CVE-2021-41043)

  - The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to     it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to     crash an application or overwrite a neighbouring variable. (CVE-2024-2961)

  - A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits     deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such     as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size     from 513 to 512 bits, exposing a potential timing side-channel. (CVE-2024-28834)

  - A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside     the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to     port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to     manipulate a running instance, potentially altering forwarders, allowing them to track all queries     forwarded by the local resolver, and, in some cases, disrupting resolving altogether. (CVE-2024-1488)

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2024-2211 advisory.

    [14:4.99.0-9]
    - Resolves: RHEL-21558 - tcpslice: use-after-free in extract_slice()

    [14:4.99.0-8]
    - Resolves: RHEL-10714 - Fix PGM option printing

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:2211 advisory.

    The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can     capture and display the packet headers on a particular network interface or on all interfaces.

    Security Fix(es):

    * tcpslice: use-after-free in extract_slice() (CVE-2021-41043)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:0769 advisory.

  - Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact. (CVE-2021-41043)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1090 advisory.

    The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can     capture and display the packet headers on a particular network interface or on all interfaces.

    Security Fix(es):

    * tcpslice: use-after-free in extract_slice() (CVE-2021-41043)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2024-0769 advisory.

    [14:4.9.3-3.1]
    - tcpslice: use-after-free in extract_slice() (CVE-2021-41043)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2024:0769 advisory.

  - Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact. (CVE-2021-41043)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:0769 advisory.

    The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can     capture and display the packet headers on a particular network interface or on all interfaces.

    Security Fix(es):

    * tcpslice: use-after-free in extract_slice() (CVE-2021-41043)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:0571 advisory.

    The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can     capture and display the packet headers on a particular network interface or on all interfaces.

    Security Fix(es):

    * tcpslice: use-after-free in extract_slice() (CVE-2021-41043)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:0410 advisory.

    The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can     capture and display the packet headers on a particular network interface or on all interfaces.

    Security Fix(es):

    * tcpslice: use-after-free in extract_slice() (CVE-2021-41043)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 61f416ff-aa00-11ec-b439-000d3a450398 advisory.

  - Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact. (CVE-2021-41043)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
206824	Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20230302.101026)	Nessus	Misc.	critical
206822	Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20230302.2024)	Nessus	Misc.	critical
206821	Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20230302.100187)	Nessus	Misc.	critical
196091	RHEL 6 : tcpslice (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	medium
196006	RHEL 7 : tcpslice (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	medium
195059	Oracle Linux 9 : tcpdump (ELSA-2024-2211)	Nessus	Oracle Linux Local Security Checks	medium
194766	RHEL 9 : tcpdump (RHSA-2024:2211)	Nessus	Red Hat Local Security Checks	medium
191919	Rocky Linux 8 : tcpdump (RLSA-2024:0769)	Nessus	Rocky Linux Local Security Checks	medium
191546	RHEL 9 : tcpdump (RHSA-2024:1090)	Nessus	Red Hat Local Security Checks	medium
190504	Oracle Linux 8 : tcpdump (ELSA-2024-0769)	Nessus	Oracle Linux Local Security Checks	medium
190413	AlmaLinux 8 : tcpdump (ALSA-2024:0769)	Nessus	Alma Linux Local Security Checks	medium
190400	RHEL 8 : tcpdump (RHSA-2024:0769)	Nessus	Red Hat Local Security Checks	medium
189788	RHEL 8 : tcpdump (RHSA-2024:0571)	Nessus	Red Hat Local Security Checks	medium
189569	RHEL 8 : tcpdump (RHSA-2024:0410)	Nessus	Red Hat Local Security Checks	medium
184460	FreeBSD : tcpslice -- heap-based use-after-free in extract_slice() (61f416ff-aa00-11ec-b439-000d3a450398)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2021-41043

medium

Tenable Plugins

critical

critical

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium