The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20230302.207 advisory.

  - In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in     xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
    (CVE-2021-45960)

  - In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for     m_groupSize. (CVE-2021-46143)

  - addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)

  - build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)

  - defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
    (CVE-2022-22824)

  - lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)

  - nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
    (CVE-2022-22826)

  - storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)

  - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with     a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)

  - xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks     for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)

  - xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters     into namespace URIs. (CVE-2022-25236)

  - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR     and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

  - urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as     demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this     is similar to CVE-2020-26116. (CVE-2020-26137)

  - Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to     remote code execution in certain Python applications that accept floating-point numbers as untrusted     input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used     unsafely. (CVE-2021-3177)

  - An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary     files inside the directories of connecting peers. The server chooses which files/directories are sent to     the client. However, the rsync client performs insufficient validation of file names. A malicious rsync     server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory     and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)

  - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop     forever for non-prime moduli. Internally this function is used when parsing certificates that contain     elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point     encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has     invalid explicit curve parameters. Since certificate parsing happens prior to verification of the     certificate signature, any process that parses an externally supplied certificate may thus be subject to a     denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they     can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients     consuming server certificates - TLS servers consuming client certificates - Hosting providers taking     certificates or private keys from customers - Certificate authorities parsing certification requests from     subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that     use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS     issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate     which makes it slightly harder to trigger the infinite loop. However any operation which requires the     public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-     signed certificate to trigger the loop during verification of the certificate signature. This issue     affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the     15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected     1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)

  - An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and     source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)

  - Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution     under certain microarchitecture-dependent conditions. (CVE-2022-29900)

  - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their     retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can     hijack return instructions to achieve arbitrary speculative code execution under certain     microarchitecture-dependent conditions. (CVE-2022-29901)

  - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many     distant matches. (CVE-2018-25032)

  - A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function     and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for     the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream     object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)

  - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

  - By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38177)

  - By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38178)

  - Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11,     5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server     for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J     through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using     a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to     recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown     vectors. (CVE-2008-5161)

  - Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of     service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of     Service (ReDoS) in package_index.py. (CVE-2022-40897)

  - Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.
    (CVE-2022-47629)

  - GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a     conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs     in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
    (CVE-2022-48303)

  - An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the     chained HTTP compression algorithms, meaning that a server response can be compressed multiple times and     potentially with differentalgorithms. The number of acceptable links in this decompression chain     wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a     virtually unlimited number of compression steps simply byusing many headers. The use of such a     decompression chain could result in a malloc bomb, making curl end up spending enormous amounts of     allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)

  - A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient     to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful     decryption an attacker would have to be able to send a very large number of trial messages for decryption.
    The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS     connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An     attacker that had observed a genuine connection between a client and a server could use this flaw to send     trial messages to the server and record the time taken to process them. After a sufficiently large number     of messages the attacker could recover the pre-master secret used for the original connection and thus be     able to decrypt the application data sent over that connection. (CVE-2022-4304)

  - The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the name (e.g.
    CERTIFICATE), any header data and the payload data. If the function succeeds then the name_out,     header and data arguments are populated with pointers to buffers containing the relevant decoded data.
    The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results     in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate     the header argument with a pointer to a buffer that has already been freed. If the caller also frees this     buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an     attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service     attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and     therefore these functions are also directly affected. These functions are also called indirectly by a     number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file()     which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the     caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations     include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL     asn1parse command line application is also impacted by this issue. (CVE-2022-4450)

  - The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is     primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may     also be called directly by end user applications. The function receives a BIO from the caller, prepends a     new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the     BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid,     the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this     case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal     pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then     a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the     internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call     BIO_pop() on the BIO. This internal function is in turn called by the public API functions     PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1,     SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include     i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL     cms and smime command line applications are similarly affected. (CVE-2023-0215)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

  - A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when     using int(text), a system could take 50ms to parse an int string with 100,000 digits and 5s for     1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not     affected). The highest threat from this vulnerability is to system availability. (CVE-2020-10735)

  - Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection     against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is     disputed by a third party because the http.server.html documentation page states Warning: http.server is     not recommended for production. It only implements basic security checks. (CVE-2021-28861)

  - An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path     when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name     being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by     remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger     excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname.
    For example, the attack payload could be placed in the Location header of an HTTP response with status     code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. (CVE-2022-45061)

  - A vulnerability was found in systemd. This security flaw can cause a local information leak due to     systemd-coredump not respecting the fs.suid_dumpable kernel setting. (CVE-2022-4415)

  - A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This     side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a     Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large     amount of specially crafted messages to the vulnerable server. By recovering the secret from the     ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that     connection. (CVE-2023-0361)

  - A flaw was found in hw. Mis-trained branch predictions for return instructions may allow arbitrary     speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-23816)     (CVE-2022-28693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20230302.207)

critical Nessus Plugin ID 180469

Version 1.4

Version 1.3

Version 1.2

Version 1.2

Version 1.1

Version 1.0

Version 1.4 Jun 7, 2024, 12:28 PM IAVM reference STIG Severity Plugin Feed: 202406071228
Version 1.3 Feb 21, 2024, 1:18 AM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Detection (updated detection logic) Plugin metadata Plugin Feed: 202402210118
Version 1.2 Oct 27, 2023, 4:19 PM Detection Plugin Feed: 202310271619
Version 1.2 Feb 20, 2024, 11:27 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Detection (updated detection logic) Plugin metadata Plugin Feed: 202402202327
Version 1.1 Oct 19, 2023, 8:16 PM Detection Plugin Feed: 202310192016
Version 1.0 Sep 4, 2023, 8:09 PM New Plugin Feed: 202309042009