The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20220304.10013 advisory.

  - In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in     xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
    (CVE-2021-45960)

  - In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for     m_groupSize. (CVE-2021-46143)

  - addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)

  - build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)

  - defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
    (CVE-2022-22824)

  - lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)

  - nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
    (CVE-2022-22826)

  - storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)

  - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with     a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)

  - xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks     for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)

  - xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters     into namespace URIs. (CVE-2022-25236)

  - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR     and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

  - urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as     demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this     is similar to CVE-2020-26116. (CVE-2020-26137)

  - Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to     remote code execution in certain Python applications that accept floating-point numbers as untrusted     input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used     unsafely. (CVE-2021-3177)

  - A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function     and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for     the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream     object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)

  - An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary     files inside the directories of connecting peers. The server chooses which files/directories are sent to     the client. However, the rsync client performs insufficient validation of file names. A malicious rsync     server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory     and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)

  - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop     forever for non-prime moduli. Internally this function is used when parsing certificates that contain     elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point     encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has     invalid explicit curve parameters. Since certificate parsing happens prior to verification of the     certificate signature, any process that parses an externally supplied certificate may thus be subject to a     denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they     can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients     consuming server certificates - TLS servers consuming client certificates - Hosting providers taking     certificates or private keys from customers - Certificate authorities parsing certification requests from     subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that     use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS     issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate     which makes it slightly harder to trigger the infinite loop. However any operation which requires the     public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-     signed certificate to trigger the loop during verification of the certificate signature. This issue     affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the     15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected     1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)

  - An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and     source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)

  - Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution     under certain microarchitecture-dependent conditions. (CVE-2022-29900)

  - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their     retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can     hijack return instructions to achieve arbitrary speculative code execution under certain     microarchitecture-dependent conditions. (CVE-2022-29901)

  - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many     distant matches. (CVE-2018-25032)

  - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

  - By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38177)

  - By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38178)

  - A flaw was found in hw. Mis-trained branch predictions for return instructions may allow arbitrary     speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-23816)     (CVE-2022-28693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20220304.10013)

critical Nessus Plugin ID 170654

Version 1.4