The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20230302.102001 advisory.

  - An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When     parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant     remote code execution are possible because there are no restrictions on the classes that can be restored.
    (When loading the documentation cache, object injection and resultant remote code execution are also     possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed     version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed     version is rdoc 6.5.1.1. (CVE-2024-27281)

  - An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7,     3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks     during cleanup of permissions-related errors. This means users which can run privileged programs are     potentially able to modify permissions of files referenced by symlinks in some circumstances.
    (CVE-2023-6597)

  - An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and     3.8.18 and prior. The zipfile module is vulnerable to quoted-overlap zip-bombs which exploit the zip     format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile     module reject zip archives which overlap entries in the archive. (CVE-2024-0450)

  - linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login     process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. (CVE-2024-22365)

  - squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is     then used by unsquashfs to create the new file during the unsquash. The filename is not validated for     traversal outside of the destination directory, and thus allows writing to locations outside of the     destination. (CVE-2021-40153)

  - squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different     vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link     and then contents under the same filename in a filesystem can cause unsquashfs to first create the     symbolic link pointing outside the expected directory, and then the subsequent write operation will cause     the unsquashfs process to write through the symbolic link elsewhere in the filesystem. (CVE-2021-41072)

  - nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size     cache is exhausted by client requests then a subsequent client request for netgroup data may result in a     stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This     vulnerability is only present in the nscd binary. (CVE-2024-33599)

  - nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails     to add a not-found netgroup response to the cache, the client request can result in a null pointer     dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability     is only present in the nscd binary. (CVE-2024-33600)

  - nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's     (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a     memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in     glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.
    (CVE-2024-33601)

  - nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd)     netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer.
    The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present     in the nscd binary. (CVE-2024-33602)

  - The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to     it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to     crash an application or overwrite a neighbouring variable. (CVE-2024-2961)

  - An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker     to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some     circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code     execution and secure boot protection bypass may be achieved. (CVE-2023-4692)

  - An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically     present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations.
    A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting     a high Confidentiality risk. (CVE-2023-4693)

  - A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-     bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv     file. If the program is killed before the rename operation, the temporary file will not be removed and may     fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.
    (CVE-2024-1048)

  - A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit     unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into     the command of the features mentioned through the hostname parameter. (CVE-2023-6004)

  - A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by     different supported crypto backends. The return values from these were not properly checked, which could     cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as     an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures,     terminating the connection. (CVE-2023-6918)

  - A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory     for arrays before the non-negative length check is performed by the C API entry points. Passing a negative     length to the g_new0 function results in a crash due to the negative length being treated as a huge     positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by     causing the libvirt daemon to crash. (CVE-2024-2494)

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader     interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to     an xmlValidatePopElement use-after-free. (CVE-2024-25062)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

  - A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary     locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image     with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the     host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write     access to the host filesystem, allowing for full container escape at build time. (CVE-2024-1753)

  - The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid     JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any     value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

  - Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of     standards. An attacker could send a JWE containing compressed data that used large amounts of memory and     CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed     data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been     patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180)

  - Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar     to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template,     potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject     arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to     XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
    (CVE-2024-22195)

  - A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles     invalid URLs that have specific characters. There is an increase in execution time for parsing strings to     URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete     fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. (CVE-2023-36617)

  - A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and     3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and     a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however,     for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is     stringio 3.0.1.2. (CVE-2024-27280)

  - An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex     compiler, it is possible to extract arbitrary heap data relative to the start of the text, including     pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1. (CVE-2024-27282)

  - REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it     parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be     impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability.
    As a workaround, don't parse untrusted XMLs. (CVE-2024-35176)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20230302.102001)

high Nessus Plugin ID 208276

Version 1.3

Version 1.2

Version 1.1

Version 1.3 Oct 21, 2024, 9:27 AM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit framework metasploit" set to "True") Plugin Feed: 202410210927
Version 1.2 Oct 11, 2024, 5:40 PM IAVM reference STIG Severity (set to "I") Plugin Feed: 202410111740
Version 1.1 Oct 8, 2024, 10:36 PM New Plugin Feed: 202410082236