Detections
Analytics

Amazon Linux 2 : ecs-service-connect-agent, --advisory ALAS2ECS-2025-093 (ALASECS-2025-093)

high Nessus Plugin ID 281808

Language:

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of ecs-service-connect-agent installed on the remote host is prior to v1.34.4.2-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2025-093 advisory.

 There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. The data sent by the application may be corrupted before transmission over the network thus leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 (CVE-2024-11407)

 LuaJIT through 2.1 has a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. (CVE-2024-25176)

 LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS). (CVE-2024-25177)

 LuaJIT through 2.1 has an out-of-bounds read in the stack-overflow handler in lj_state.c (CVE-2024-25178)

 When libcurl is asked to perform automatic gzip decompression ofcontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow wouldmake libcurl perform a buffer overflow. (CVE-2025-0725)

 Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Versions 1.34.0 through 1.34.4 and 1.35.0 contain a use-after-free (UAF) vulnerability in the DNS cache, causing abnormal process termination. The vulnerability is in Envoy's Dynamic Forward Proxy implementation, occurring when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. This condition may occur when the following conditions are met:
 dynamic Forwarding Filter is enabled, the `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime flag is enabled, and the Host header is modified between the Dynamic Forwarding Filter and Router filters.
 This issue is resolved in versions 1.34.5 and 1.35.1. To work around this issue, set the envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag to false. (CVE-2025-54588)

 Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist. This allows a user to remain logged in after they believe they have logged out, creating a session hijacking risk on shared computers. The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes. This failure to properly construct the deletion header means the user's session cookies are never removed by the browser, leaving the session active and allowing the next user of the same browser to gain unauthorized access to the original user's account and data. This is fixed in versions 1.32.10, 1.33.7, 1.34.5 and 1.35.1. (CVE-2025-55162)

 Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but upstream data is still coming, resulting in a buffer watermark callback nullptr reference. The vulnerability impacts TCP proxy and HTTP 1 & 2 mixed use cases based on ALPN. This vulnerability is fixed in 1.36.1, 1.35.5, 1.34.9, and 1.33.10.
 (CVE-2025-62409)

 Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw. (CVE-2025-62504)

 Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object.
 The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives. (CVE-2025-64527)

 Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments.
 The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel. (CVE-2025-64763)

 Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy's mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches. (CVE-2025-66220)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update ecs-service-connect-agent' or or 'yum update --advisory ALAS2ECS-2025-093' to update your system.

See Also

https://alas.aws.amazon.com//AL2/ALAS2ECS-2025-093.html

https://alas.aws.amazon.com/faqs.html

https://explore.alas.aws.amazon.com/CVE-2024-11407.html

https://explore.alas.aws.amazon.com/CVE-2024-25176.html

https://explore.alas.aws.amazon.com/CVE-2024-25177.html

https://explore.alas.aws.amazon.com/CVE-2024-25178.html

https://explore.alas.aws.amazon.com/CVE-2025-0725.html

https://explore.alas.aws.amazon.com/CVE-2025-54588.html

https://explore.alas.aws.amazon.com/CVE-2025-55162.html

https://explore.alas.aws.amazon.com/CVE-2025-62409.html

https://explore.alas.aws.amazon.com/CVE-2025-62504.html

https://explore.alas.aws.amazon.com/CVE-2025-64527.html

https://explore.alas.aws.amazon.com/CVE-2025-64763.html

https://explore.alas.aws.amazon.com/CVE-2025-66220.html

Plugin Details

Severity: High

ID: 281808

File Name: al2_ALASECS-2025-093.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/5/2026

Updated: 1/5/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-55162

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-62409

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:ecs-service-connect-agent, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/5/2026

Vulnerability Publication Date: 12/12/2023

Reference Information

CVE: CVE-2024-11407, CVE-2024-25176, CVE-2024-25177, CVE-2024-25178, CVE-2025-0725, CVE-2025-54588, CVE-2025-55162, CVE-2025-62409, CVE-2025-62504, CVE-2025-64527, CVE-2025-64763, CVE-2025-66220