Detections
Analytics

openSUSE 15 Security Update : nim (openSUSE-SU-2022:10101-1)

critical Nessus Plugin ID 164473

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10101-1 advisory.

 - In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character. (CVE-2020-15690)

 - In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser.
 This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands.
 (CVE-2020-15692)

 - In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values.
 (CVE-2020-15693)

 - In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length. (CVE-2020-15694)

 - Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution. (CVE-2021-21372)

 - Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, nimble refresh fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. (CVE-2021-21373)

 - Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, nimble refresh fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. (CVE-2021-21374)

 - Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set verifyMode = CVerifyPeer as documented. (CVE-2021-29495)

 - Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example:
 parseUri(http://localhost\0hello).hostname is set to localhost\0hello. Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte.
 Example: getContent(http://localhost\0hello) makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack. (CVE-2021-41259)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nim package.

See Also

https://bugzilla.suse.com/1175332

https://bugzilla.suse.com/1175333

https://bugzilla.suse.com/1175334

https://bugzilla.suse.com/1181705

https://bugzilla.suse.com/1185083

https://bugzilla.suse.com/1185084

https://bugzilla.suse.com/1185085

https://bugzilla.suse.com/1185948

https://bugzilla.suse.com/1192712

http://www.nessus.org/u?842793f7

https://www.suse.com/security/cve/CVE-2020-15690

https://www.suse.com/security/cve/CVE-2020-15692

https://www.suse.com/security/cve/CVE-2020-15693

https://www.suse.com/security/cve/CVE-2020-15694

https://www.suse.com/security/cve/CVE-2021-21372

https://www.suse.com/security/cve/CVE-2021-21373

https://www.suse.com/security/cve/CVE-2021-21374

https://www.suse.com/security/cve/CVE-2021-29495

https://www.suse.com/security/cve/CVE-2021-41259

Plugin Details

Severity: Critical

ID: 164473

File Name: openSUSE-2022-10101-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 8/28/2022

Updated: 10/13/2023

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-15692

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nim, cpe:/o:novell:opensuse:15.4

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/27/2022

Vulnerability Publication Date: 8/14/2020

Reference Information

CVE: CVE-2020-15690, CVE-2020-15692, CVE-2020-15693, CVE-2020-15694, CVE-2021-21372, CVE-2021-21373, CVE-2021-21374, CVE-2021-29495, CVE-2021-41259