The version of nerdctl installed on the remote host is prior to 1.7.6-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2618 advisory.

    2024-08-28: CVE-2024-24790 was added to this advisory.

    A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive     number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and     CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is     allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an     HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to     be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the     receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header     frames we will process before closing a connection. (CVE-2023-45288)

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid     JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any     value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

    The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6     addresses, returning false for addresses which would return true in their traditional IPv4 forms.
    (CVE-2024-24790)

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of     standards. An attacker could send a JWE containing compressed data that used large amounts of memory and     CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed     data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been     patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : nerdctl (ALAS-2024-2618)

critical Nessus Plugin ID 205706

Version 1.4

Version 1.3

Version 1.2

Version 1.4 Aug 30, 2024, 7:43 AM Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202408300743
Version 1.3 Aug 29, 2024, 9:35 AM CVE (set "CVE" coverage to "CVE-2023-39326,CVE-2023-45288,CVE-2024-24786,CVE-2024-24790,CVE-2024-28180") CVSS metrics ("CVSSv2 score" set to 10.0) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 9.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 score source (changed from "CVE-2023-39326" to "CVE-2024-24790") CVSSv2 severity (based on CVE-2024-24790, severity increased from "Medium" to "High") CVSSv2 severity (based on None, severity decreased from "High" to "Low") CVSSv3 severity (based on None, severity increased from "Medium" to "High") Exploit attributes ("Exploitability ease" changed from "Exploits are available" to "No known exploits are available") Plugin metadata Plugin Feed: 202408290935
Version 1.2 Aug 19, 2024, 10:05 AM Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202408191005