Tenable SecurityCenter <= 5.23.1 Multiple Vulnerabilities (TNS-2023-08)

critical Nessus Plugin ID 172139

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is running a version between 5.21.0 and 5.23.1 and is therefore affected by multiple vulnerabilities in OpenSSL prior to version 1.1.1t:

- A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304)

- Vulnerability in the Enterprise Manager Ops Center product of Oracle Enterprise Manager (component: Networking (OpenSSL)). The supported version that is affected is 12.4.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Ops Center. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Ops Center. (CVE-2022-1292)

- The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the name, any header data and the payload data. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The OpenSSL asn1parse command line application is also impacted by this issue. (CVE-2022-4450)

- The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215)

Solution

Apply the security patch referenced in the vendor advisory.

See Also

https://www.tenable.com/security/tns-2023-08

http://www.nessus.org/u?a45cd398

Plugin Details

Severity: Critical

ID: 172139

File Name: securitycenter_5_23_1_tns_2023_08.nasl

Version: 1.7

Type: combined

Agent: unix

Family: Misc.

Published: 3/6/2023

Updated: 5/10/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-2068

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:tenable:securitycenter

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/1/2023

Vulnerability Publication Date: 2/8/2023

Reference Information

CVE: CVE-2022-1292, CVE-2022-2068, CVE-2022-2097, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215