SUSE SLED15: liboath-devel / liboath0 / libopenconnect5 / libpskc-devel / etc (SUSE-SU-2024:0317-1)

critical Nessus Plugin ID 189956

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0317-1 advisory.

- Update to release 9.12:

* Explicitly reject overly long tun device names.
* Increase maximum input size from stdin (#579).
* Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
* Fix stray (null) in URL path after Pulse authentication (4023bd95).
* Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475).
* Fix case sensitivity in GPST header matching (!474).

- Update to release 9.10:

* Fix external browser authentication with KDE plasma-nm < 5.26.
* Always redirect stdout to stderr when spawning external browser.
* Increase default queue length to 32 packets.
* Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array.
* Handle idiosyncratic variation in search domain separators for all protocols
* Support region selection field for Pulse authentication
* Support modified configuration packet from Pulse 9.1R16 servers
* Allow hidden form fields to be populated or converted to text fields on the command line
* Support yet another strange way of encoding challenge-based 2FA for GlobalProtect
* Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments
* Parrot a GlobalProtect server's software version, if present, as the client version (!333)
* Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).
* Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).
* Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
* Support simultaneous IPv6 and Legacy IP ('dual-stack') for Fortinet .
* Support 'FTM-push' token mode for Fortinet VPNs .
* Send IPv6-compatible version string in Pulse IF/T session establishment
* Add --no-external-auth option to not advertise external-browser authentication
* Many small improvements in server response parsing, and better logging messages and documentation.

- Update to release 9.01:

* Add support for AnyConnect 'Session Token Re-use Anchor Protocol' (STRAP)
* Add support for AnyConnect 'external browser' SSO mode
* Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20
* Support Cisco's multiple-certificate authentication
* Revert GlobalProtect default route handling change from v8.20
* Suppo split-exclude routes for Fortinet
* Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect

- Update to release 8.20:

* Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.
* Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19
* Support Juniper login forms containing both password and 2FA token
* Explicitly disable 3DES and RC4, unless enabled with
--allow-insecure-crypto
* Allow protocols to delay tunnel setup and shutdown (!117)
* Support for GlobalProtect IPv6
* SIGUSR1now causes OpenConnect to log detailed connection information and statistics
* Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint
* Demangle default routes sent as split routes by GlobalProtect
* Support more Juniper login forms, including some SSO forms
* Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header
* Add support for PPP-based protocols, currently over TLS only.
* Add support for two PPP-based protocols, F5 with
--protocol=f5 and Fortinet with --protocol=fortinet.
* Add support for Array Networks SSL VPN.
* Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM.

- Import the latest version of the vpnc-script (bsc#1140772)

* This brings a lot of improvements for non-trivial network setups, IPv6 etc

- Build with --without-gnutls-version-check

- Update to version 8.10:

* Install bash completion script to ${datadir}/bash-completion/completions/openconnect.
* Improve compatibility of csd-post.sh trojan.
* Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823, bsc#1171862, gl#openconnect/openconnect!108).

- Introduce subpackage for bash-completion

- Update to 8.09:

* Add bash completion support.
* Give more helpful error in case of Pulse servers asking for TNCC.
* Sanitize non-canonical Legacy IP network addresses.
* Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105 bsc#1170452).
* Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91)
* Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.
* GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms.
* Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED.

- Update to 8.0.8:

* Fix check of pin-sha256: public key hashes to be case sensitive
* Don't give non-functioning stderr to CSD trojan scripts.
* Fix crash with uninitialised OIDC token.

- Update to 8.0.7:

* Don't abort Pulse connection when server-provided certificate MD5 doesn't match.
* Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks.
* Don't abort connection if CSD wrapper script returns non-zero (for now).
* Make --passtos work for protocols that use ESP, in addition to DTLS.
* Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well.

- Remove tncc-wrapper.py script as it is python2 only bsc#1157446

- No need to ship hipreport-android.sh as it is intented for android systems only

- Update to 8.0.5:

* Minor fixes to build on specific platforms
* Includes fix for a buffer overflow with chunked HTTP handling (CVE-2019-16239, bsc#1151178)

- Use python3 to generate the web data as now it is supported by upstream

- Update to 8.0.3:

* Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.
* Fix recognition of OTP password fields.

- Update to 8.02:

* Fix GNU/Hurd build.
* Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
* Support split-exclude routes for GlobalProtect.
* Fix GnuTLS builds without libtasn1.
* Fix DTLS support with OpenSSL 1.1.1+.
* Add Cisco-compatible DTLSv1.2 support.
* Invoke script with reason=attempt-reconnect before doing so.


- Update to 8.01:

* Clear form submissions (which may include passwords) before freeing (CVE-2018-20319, bsc#1215669).
* Allow form responses to be provided on command line.
* Add support for SSL keys stored in TPM2.
* Fix ESP rekey when replay protection is disabled.
* Drop support for GnuTLS older than 3.2.10.
* Fix --passwd-on-stdin for Windows to not forcibly open console.
* Fix portability of shell scripts in test suite.
* Add Google Authenticator TOTP support for Juniper.
* Add RFC7469 key PIN support for cert hashes.
* Add protocol method to securely log out the Juniper session.
* Relax requirements for Juniper hostname packet response to support old gateways.
* Add API functions to query the supported protocols.
* Verify ESP sequence numbers and warn even if replay protection is disabled.
* Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
* Reorganize listing of command-line options, and include information on supported protocols.
* SIGTERM cleans up the session similarly to SIGINT.
* Fix memset_s() arguments.
* Fix OpenBSD build.

- Explicitely enable all the features as needed to stop build if something is missing

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1140772

https://bugzilla.suse.com/1157446

https://bugzilla.suse.com/1170452

https://bugzilla.suse.com/1171862

https://bugzilla.suse.com/1215669

https://www.suse.com/security/cve/CVE-2018-20319

https://www.suse.com/security/cve/CVE-2020-12105

https://www.suse.com/security/cve/CVE-2020-12823

http://www.nessus.org/u?75fa0325

Plugin Details

Severity: Critical

ID: 189956

File Name: suse_SU-2024-0317-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 2/3/2024

Updated: 6/25/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-12823

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:openconnect-doc, p-cpe:/a:novell:suse_linux:openconnect, p-cpe:/a:novell:suse_linux:liboath-devel, p-cpe:/a:novell:suse_linux:liboath0, p-cpe:/a:novell:suse_linux:libopenconnect5, p-cpe:/a:novell:suse_linux:libpskc-devel, p-cpe:/a:novell:suse_linux:libpskc0, p-cpe:/a:novell:suse_linux:libstoken1, p-cpe:/a:novell:suse_linux:oath-toolkit-xml, p-cpe:/a:novell:suse_linux:openconnect-devel, p-cpe:/a:novell:suse_linux:openconnect-lang, p-cpe:/a:novell:suse_linux:stoken-devel, p-cpe:/a:novell:suse_linux:oath-toolkit, p-cpe:/a:novell:suse_linux:stoken, p-cpe:/a:novell:suse_linux:stoken-gui

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/2/2024

Vulnerability Publication Date: 4/23/2020

Reference Information

CVE: CVE-2018-20319, CVE-2020-12105, CVE-2020-12823

SuSE: SUSE-SU-2024:0317-1