Detections
Analytics
Fedora 33 : golang-github-pires-proxyproto (2021-e01c1fe4cc)
medium Nessus Plugin ID 147847
Language:
Synopsis
The remote Fedora host is missing one or more security updates.Description
The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-e01c1fe4cc advisory.- The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code - and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging. The risk here is small, because only trusted sources should be allowed to send proxy protocol headers. (CVE-2021-23351)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected golang-github-pires-proxyproto package.See Also
https://bodhi.fedoraproject.org/updates/FEDORA-2021-e01c1fe4cc
Plugin Details
Severity: Medium
ID: 147847
File Name: fedora_2021-e01c1fe4cc.nasl
Version: 1.3
Type: local
Agent: unix
Family: Fedora Local Security Checks
Published: 3/17/2021
Updated: 4/12/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4
Temporal Score: 3
Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS Score Source: CVE-2021-23351
CVSS v3
Risk Factor: Medium
Base Score: 4.9
Temporal Score: 4.3
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:fedoraproject:fedora:33, p-cpe:/a:fedoraproject:fedora:golang-github-pires-proxyproto
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 3/9/2021
Vulnerability Publication Date: 3/8/2021
Reference Information
CVE: CVE-2021-23351
FEDORA: 2021-e01c1fe4cc