Detections
Analytics

NewStart CGSL MAIN 7.02 : nghttp2 Multiple Vulnerabilities (NS-SA-2025-0134)

medium Nessus Plugin ID 242763

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 7.02, has nghttp2 packages installed that are affected by multiple vulnerabilities:

 - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

 - Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
 (CVE-2023-35945)

 - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream.
 There is no workaround for this vulnerability. (CVE-2024-28182)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL nghttp2 packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/info/CVE-2024-28182

https://security.gd-linux.com/notice/NS-SA-2025-0134

https://security.gd-linux.com/info/CVE-2023-35945

https://security.gd-linux.com/info/CVE-2023-44487

Plugin Details

Severity: Medium

ID: 242763

File Name: newstart_cgsl_NS-SA-2025-0134_nghttp2.nasl

Version: 1.2

Type: local

Published: 7/25/2025

Updated: 7/26/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-44487

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:7, p-cpe:/a:zte:cgsl_main:libnghttp2, p-cpe:/a:zte:cgsl_main:libnghttp2-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/25/2025

Vulnerability Publication Date: 7/13/2023

CISA Known Exploited Vulnerability Due Dates: 10/31/2023

Reference Information

CVE: CVE-2023-35945, CVE-2023-44487, CVE-2024-28182