Detections
Analytics
NewStart CGSL MAIN 6.06 : ncurses Multiple Vulnerabilities (NS-SA-2025-0223)
critical Nessus Plugin ID 266267
Synopsis
The remote NewStart CGSL host is affected by multiple vulnerabilities.Description
The remote NewStart CGSL host, running version MAIN 6.06, has ncurses packages installed that are affected by multiple vulnerabilities:- In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. (CVE-2017-10685)
- In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. (CVE-2017-10684)
- In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. (CVE-2017-11112)
- In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. (CVE-2017-11113)
- There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack. (CVE-2017-13728)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL ncurses packages. Note that updated packages may not be available yet. Please contact ZTE for more information.See Also
https://security.gd-linux.com/notice/NS-SA-2025-0223
https://security.gd-linux.com/info/CVE-2017-10684
https://security.gd-linux.com/info/CVE-2017-10685
https://security.gd-linux.com/info/CVE-2017-11112
https://security.gd-linux.com/info/CVE-2017-11113
https://security.gd-linux.com/info/CVE-2017-13728
https://security.gd-linux.com/info/CVE-2017-13729
https://security.gd-linux.com/info/CVE-2017-13730
https://security.gd-linux.com/info/CVE-2017-13731
https://security.gd-linux.com/info/CVE-2017-13732
https://security.gd-linux.com/info/CVE-2017-13733
https://security.gd-linux.com/info/CVE-2017-13734
https://security.gd-linux.com/info/CVE-2017-16879
https://security.gd-linux.com/info/CVE-2018-10754
Plugin Details
Severity: Critical
ID: 266267
File Name: newstart_cgsl_NS-SA-2025-0223_ncurses.nasl
Version: 1.1
Type: local
Published: 9/30/2025
Updated: 9/30/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2017-10685
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:zte:cgsl_main:ncurses-c%2b%2b-libs, cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:ncurses, p-cpe:/a:zte:cgsl_main:ncurses-devel, p-cpe:/a:zte:cgsl_main:ncurses-compat-libs, p-cpe:/a:zte:cgsl_main:ncurses-base, p-cpe:/a:zte:cgsl_main:ncurses-libs
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 9/30/2025
Vulnerability Publication Date: 6/29/2017
Reference Information
CVE: CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734, CVE-2017-16879, CVE-2019-17594, CVE-2019-17595