The version of AOS installed on the remote host is prior to 6.5.5.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.5.5.5 advisory.

  - An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x     before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If     a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly,     there is a brief window where the SSLSocket instance will detect the socket as not connected and won't     initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not     be authenticated if the server-side TLS peer is expecting client certificate authentication, and is     indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the     buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path     requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)

  - An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur     11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently     printed documents. (CVE-2023-32360)

  - VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted     Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-     security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate     their privileges if that target virtual machine has been assigned a more privileged Guest Alias     https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-     db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-34058)

  - open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious     actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to     simulate user inputs. (CVE-2023-34059)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle     GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated     attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can     only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web     Start applications or Untrusted Java applets, such as through a web service. (CVE-2023-22067)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381,     8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition:
    20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note:
    This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java     deployments, typically in servers, that load and run only trusted code (e.g., code installed by an     administrator). (CVE-2023-22081)

  - A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-     vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine     may be able to elevate their privileges if that target virtual machine has been assigned a more privileged     Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-     public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-     db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-20900)

  - An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to     potentially access sensitive information. (CVE-2023-20593)

  - An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7.
    It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets.
    This may result in denial of service or privilege escalation. (CVE-2023-35788)

  - The code that processes control channel messages sent to `named` calls certain functions recursively     during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on     the environment, this may cause the packet-parsing code to run out of available stack memory, causing     `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its     contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
    only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9     versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through     9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)

  - Information exposure through microarchitectural state after transient execution in certain vector     execution units for some Intel(R) Processors may allow an authenticated user to potentially enable     information disclosure via local access. (CVE-2022-40982)

  - An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited     to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-     of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend     upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an     error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
    (CVE-2023-3776)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to     achieve local privilege escalation. When route4_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result     struct is always copied into the new instance of the filter. This causes a problem when updating a filter     bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,     decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-     free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. When u32_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
    (CVE-2023-4208)

  - In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests     can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users     can obtain root privileges. This occurs because anonymous sets are mishandled. (CVE-2023-32233)

  - Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register     contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return     an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
    (CVE-2023-3609)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of     Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371,     8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle     GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read     access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible     data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a     web service which supplies data to the APIs. This vulnerability also applies to Java deployments,     typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load     and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for     security. (CVE-2023-22045)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of     Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371,     8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle     GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle     GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified     Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to     Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java     applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java     sandbox for security. (CVE-2023-22049)

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.5.5.5)

high Nessus Plugin ID 190796

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Nov 20, 2024, 2:56 PM CVSS metrics ("Cvssv4 score" set to 9.3) CVSS metrics ("Cvssv4 threat vector" set to "CVSS:4.0/E:A") CVSS metrics ("Cvssv4 vector" set to "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N") Plugin metadata Plugin Feed: 202411201456
Version 1.2 Mar 5, 2024, 1:15 AM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202403050115
Version 1.1 Feb 21, 2024, 4:36 PM Exploit attributes ("Exploit framework core" set to "True") Plugin Feed: 202402211636
Version 1.0 Feb 20, 2024, 7:41 PM New Plugin Feed: 202402201941