EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417) - Nessus
Critical Plugin ID: 159838This page contains detailed information about the EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 159838
Name: EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417)
Filename: EulerOS_SA-2022-1417.nasl
Vulnerability Published: 2021-02-16
This Plugin Published: 2022-04-18
Last Modification Time: 2022-04-18
Plugin Version: 1.2
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version, Host/local_checks_enabled
Vulnerability Information
Severity: Critical
Vulnerability Published: 2021-02-16
Patch Published: 2022-04-13
CVE [?]: CVE-2021-3711, CVE-2021-3712
CPE [?]: cpe:/o:huawei:euleros:uvp:2.10.0, p-cpe:/a:huawei:euleros:openssl, p-cpe:/a:huawei:euleros:openssl-libs, p-cpe:/a:huawei:euleros:openssl-perl
Synopsis
The remote EulerOS Virtualization host is missing multiple security updates.
Description
According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
- In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). (CVE-2021-3711)
- ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected openssl packages.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (GitHub)
Exploit Ease: Exploits (PoCs) are available
Here's the list of publicly known exploits and PoCs for verifying the EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417) vulnerability:
- GitHub: https://github.com/anchore/grype
[CVE-2021-3711] - GitHub: https://github.com/aymankhder/scanner-for-container
[CVE-2021-3711] - GitHub: https://github.com/jntass/TASSL-1.1.1k
[CVE-2021-3711] - GitHub: https://github.com/leonov-av/scanvus
[CVE-2021-3711] - GitHub: https://github.com/anchore/grype
[CVE-2021-3712] - GitHub: https://github.com/giantswarm/starboard-exporter
[CVE-2021-3712] - GitHub: https://github.com/leonov-av/scanvus
[CVE-2021-3712] - GitHub: https://github.com/lucky-sideburn/secpod_wrap
[CVE-2021-3712]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2021-3711
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C
| CVSS Base Score: | 7.5 (High) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 5.5 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 5.5 (Medium) |
| CVSS Base Score: | 9.8 (Critical) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 3.9 |
| CVSS Temporal Score: | 8.5 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.5 (High) |
STIG Risk Rating: High
Go back to menu.
Plugin Source
This is the EulerOS_SA-2022-1417.nasl nessus plugin source code. This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(159838);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/18");
script_cve_id("CVE-2021-3711", "CVE-2021-3712");
script_xref(name:"IAVA", value:"2021-A-0395-S");
script_xref(name:"IAVA", value:"2022-A-0030");
script_xref(name:"IAVA", value:"2021-A-0487");
script_xref(name:"IAVA", value:"2022-A-0035");
script_name(english:"EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :
- In order to decrypt SM2 encrypted data an application is expected to call the API function
EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the
'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size
required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer
and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug
in the implementation of the SM2 decryption code means that the calculation of the buffer size required to
hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size
required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the
application a second time with a buffer that is too small. A malicious attacker who is able present SM2
content for decryption to an application could cause attacker chosen data to overflow the buffer by up to
a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing
application behaviour or causing the application to crash. The location of the buffer is application
dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
(CVE-2021-3711)
- ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a
buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings
which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not
a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar
parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will
additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for
applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array
by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using
the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to
assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for
strings that have been directly constructed. Where an application requests an ASN.1 structure to be
printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the
application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing
can also occur during name constraints processing of certificates (for example if a certificate has been
directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the
certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the
X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an
application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL
functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).
It could also result in the disclosure of private memory contents (such as private keys, or sensitive
plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected
1.0.2-1.0.2y). (CVE-2021-3712)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1417
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?68d1651a");
script_set_attribute(attribute:"solution", value:
"Update the affected openssl packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3711");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/02/16");
script_set_attribute(attribute:"patch_publication_date", value:"2022/04/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/04/18");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-perl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.10.0");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.10.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.10.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"openssl-1.1.1f-8.h14.eulerosv2r10",
"openssl-libs-1.1.1f-8.h14.eulerosv2r10",
"openssl-perl-1.1.1f-8.h14.eulerosv2r10"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl");
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/EulerOS_SA-2022-1417.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2022-1417.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2022-1417.nasl
Go back to menu.
How to Run
Here is how to run the EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Huawei Local Security Checks plugin family.
- On the right side table select EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417) plugin ID 159838.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl EulerOS_SA-2022-1417.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a EulerOS_SA-2022-1417.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - EulerOS_SA-2022-1417.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2022-1417.nasl -t <IP/HOST>Go back to menu.
References
IAVA | Information Assurance Vulnerability Alert:
- 2021-A-0395-S, 2021-A-0487, 2022-A-0030, 2022-A-0035
- https://www.tenable.com/plugins/nessus/159838
- http://www.nessus.org/u?68d1651a
- https://vulners.com/nessus/EULEROS_SA-2022-1417.NASL
- 156513 - EulerOS Virtualization 3.0.2.6 : openssl (EulerOS-SA-2021-2874)
- 156658 - RHEL 7 : openssl (RHSA-2022:0064)
- 156663 - Oracle Linux 7 : openssl (ELSA-2022-0064)
- 156692 - Juniper Junos OS Vulnerability (JSA11293)
- 156707 - Oracle Linux 7 : openssl (ELSA-2022-9017)
- 156719 - Scientific Linux Security Update : openssl on SL7.x i686/x86_64 (2022:0064)
- 156740 - Oracle Linux 7 : openssl (ELSA-2022-9023)
- 156889 - Oracle MySQL Connectors (January 2022 CPU)
- 157822 - Rocky Linux 8 : openssl (RLSA-2021:5226)
- 157944 - EulerOS Virtualization 3.0.6.0 : openssl (EulerOS-SA-2022-1088)
- 157950 - EulerOS Virtualization 3.0.6.0 : compat-openssl10 (EulerOS-SA-2022-1059)
- 157952 - EulerOS Virtualization 3.0.6.6 : openssl (EulerOS-SA-2022-1135)
- 157967 - EulerOS Virtualization 3.0.6.6 : openssl098e (EulerOS-SA-2022-1136)
- 158279 - EulerOS 2.0 SP3 : openssl (EulerOS-SA-2022-1181)
- 158298 - EulerOS 2.0 SP3 : openssl098e (EulerOS-SA-2022-1180)
- 158834 - AlmaLinux 8 : openssl (ALSA-2021:5226)
- 159569 - QNAP QTS / QuTS hero Out-of-Bounds Read (QSA-21-40)
- 159859 - EulerOS Virtualization 2.10.1 : openssl (EulerOS-SA-2022-1391)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2022-1417.nasl version 1.2. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
