In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.

The remote host is affected by the vulnerability described in GLSA-202310-21 (ConnMan: Multiple Vulnerabilities)

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation     lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.
    (CVE-2022-23096)

  - An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen     call, leading to an out-of-bounds read. (CVE-2022-23097)

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has     an infinite loop if no data is received. (CVE-2022-23098)

  - In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to     exploit a heap-based buffer overflow in received_data to execute code. (CVE-2022-32292)

  - In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a     use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6236-1 advisory.

  - A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent     attackers to execute code. (CVE-2021-26675)

  - gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack     information, allowing further exploitation of bugs in gdhcp. (CVE-2021-26676)

  - ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in     dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA). (CVE-2021-33833)

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation     lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.
    (CVE-2022-23096)

  - An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen     call, leading to an out-of-bounds read. (CVE-2022-23097)

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has     an infinite loop if no data is received. (CVE-2022-23098)

  - In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to     exploit a heap-based buffer overflow in received_data to execute code. (CVE-2022-32292)

  - In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a     use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293)

  - client.c in gdhcp in ConnMan through 1.41 could be used by network-adjacent attackers (operating a crafted     DHCP server) to cause a stack-based buffer overflow and denial of service, terminating the connman     process. (CVE-2023-28488)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3144 advisory.

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation     lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.
    (CVE-2022-23096)

  - An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen     call, leading to an out-of-bounds read. (CVE-2022-23097)

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has     an infinite loop if no data is received. (CVE-2022-23098)

  - In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a     use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10134-1 advisory.

  - In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to     exploit a heap-based buffer overflow in received_data to execute code. (CVE-2022-32292)

  - In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a     use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5231 advisory.

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation     lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.
    (CVE-2022-23096)

  - An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen     call, leading to an out-of-bounds read. (CVE-2022-23097)

  - An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has     an infinite loop if no data is received. (CVE-2022-23098)

  - In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to     exploit a heap-based buffer overflow in received_data to execute code. (CVE-2022-32292)

  - In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a     use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3105 advisory.

  - In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to     exploit a heap-based buffer overflow in received_data to execute code. (CVE-2022-32292)

  - In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a     use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10076-1 advisory.

  - In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to     exploit a heap-based buffer overflow in received_data to execute code. (CVE-2022-32292)

  - In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a     use-after-free in WISPR handling, leading to crashes or code execution. (CVE-2022-32293)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
184065	GLSA-202310-21 : ConnMan: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
178482	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 : ConnMan vulnerabilities (USN-6236-1)	Nessus	Ubuntu Local Security Checks	critical
166020	Debian DLA-3144-1 : connman - LTS security update	Nessus	Debian Local Security Checks	critical
165611	openSUSE 15 Security Update : connman (openSUSE-SU-2022:10134-1)	Nessus	SuSE Local Security Checks	critical
165255	Debian DSA-5231-1 : connman - security update	Nessus	Debian Local Security Checks	critical
164963	Debian DLA-3105-1 : connman - LTS security update	Nessus	Debian Local Security Checks	critical
163757	openSUSE 15 Security Update : connman (openSUSE-SU-2022:10076-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2022-32293

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical