Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Nmap to OpenSSL version 1.1.1k #2350

Closed
fyodor opened this issue Aug 8, 2021 · 2 comments
Closed

Upgrade Nmap to OpenSSL version 1.1.1k #2350

fyodor opened this issue Aug 8, 2021 · 2 comments

Comments

@fyodor
Copy link
Member

fyodor commented Aug 8, 2021

We upgraded OpenSSL in the latest Nmap version 7.92 because that version fixes some CVE's. The vulnerabilities don't affect Nmap in a material way, but I still wanted to add this issue to document our (quick) research on these CVE's.

  • CVE-2021-3450 - Nmap does not set the X509_V_FLAG_X509_STRICT flag, so this vulnerability is not applicable.
  • CVE-2021-3449 - This issue affects ncat in listen mode with SSL enabled (ncat.exe -l --ssl). Nmap is not affected.
  • CVE-2021-23841 - Nmap does not use the X509_issuer_and_serial_hash function, so this vulnerability is not applicable.
  • CVE-2021-23840 - This vulnerability may affect certain NSE scripts and Nping in echo server or echo client mode. Ncat and all non-NSE Nmap features are unaffected. It would be a crash at worst.
  • CVE-2020-1971 - Nmap does not do CRL verification, nor does any Nmap code call GENERAL_NAME_cmp or any TS_RESP_* API functions, so Nmap is unaffected.
@fyodor
Copy link
Member Author

fyodor commented Aug 8, 2021

I'm closing this since we've upgraded to OpenSSL 1.1.1k in Nmap version 7.92.

@fyodor fyodor closed this as completed Aug 8, 2021
@fyodor fyodor transferred this issue from nmap/npcap Aug 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
@fyodor and others