curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

The remote NewStart CGSL host, running version MAIN 6.02, has curl packages installed that are affected by multiple vulnerabilities:

  - The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is     enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary     requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3)     execute arbitrary commands via a redirect to an scp: URL. (CVE-2009-0037)

  - The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl     and other products, always performs credential delegation during GSSAPI authentication, which allows     remote servers to impersonate clients via GSSAPI requests. (CVE-2011-2192)

  - curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a     pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as     demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol. (CVE-2012-0036)

  - Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl     and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote     attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in     the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. (CVE-2013-0249)

  - The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path     domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the     domain of a URL. (CVE-2013-1944)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The following vulnerabilities have been fixed in curl :

  - IMAP, POP3 and SMTP URL sanitization vulnerability     (CVE-2012-0036)

  - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS     (CVE-2011-3389)

  - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option     for older openssl versions (CVE-2010-4180)

- Fix IMAP, POP3 and SMTP URL sanitization (bnc#740452,     CVE-2012-0036)

  - Disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option     when built against an older OpenSSL version     (CVE-2010-4180).

  - Don't enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS     (bnc#742306, CVE-2011-3389).

An input validation vulnerability occurs when the application fails to properly sanitize a user-supplied fileptah part of an URL before passing it to the protocol-specific code. A remote attacker could exploit this issue to execute arbitrary code in the context of the affected application. (CVE-2012-0036)

Affected versions include versions 7.20.0 through 7.23.1.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.1.1 and is, therefore, reportedly affected by the following vulnerabilities :

  - The bundled version of the libxml2 library contains     multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821,     CVE-2011-2834)

  - The bundled version of PHP contains multiple     vulnerabilities. (CVE-2011-3379, CVE-2011-4153,     CVE-2011-4885, CVE-2012-1823, CVE-2012-0057,     CVE-2012-0830)

  - The bundled version of the Apache HTTP Server contains     multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317,     CVE-2011-4415, CVE-2012-0021, CVE-2012-0031,     CVE-2012-0053)

  - An issue exists in the 'include/iniset.php' script in     the embedded RoundCube Webmail version that could lead     to a denial of service. (CVE-2011-4078)

  - The bundled version of OpenSSL contains multiple     vulnerabilities. (CVE-2011-4108, CVE-2011-4576,     CVE-2011-4577, CVE-2011-4619, CVE-2012-0027,     CVE-2012-1165)

  - The bundled version of curl and libcurl does not     properly consider special characters during extraction     of a pathname from a URL. (CVE-2012-0036)     
  - An off autocomplete attribute does not exist for     unspecified form fields, which makes it easier for     remote attackers to obtain access by leveraging an     unattended workstation. (CVE-2012-2012)

  - An unspecified vulnerability exists that could allow a     remote attacker to cause a denial of service, or     possibly obtain sensitive information or modify data.
    (CVE-2012-2013)

  - An unspecified vulnerability exists related to improper     input validation. (CVE-2012-2014)

  - An unspecified vulnerability allows remote,     unauthenticated users to gain privileges and obtain     sensitive information. (CVE-2012-2015)

  - An unspecified vulnerability allows local users to     obtain sensitive information via unknown vectors.
    (CVE-2012-2016)

The remote host is running a version of Mac OS X 10.7 that is older than version 10.7.4.  The newer version contains numerous security-related fixes for the following components :

  - Login Windows
  - Bluetooth
  - curl
  - HFS
  - Kernel
  - libarchive
  - libsecurity
  - libxml
  - LoginUIFramework
  - PHP
  - Quartz Composer
  - QuickTime
  - Ruby
  - Security Framework
  - Time Machine
  - X11

The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components :

  - Login Window
  - Bluetooth
  - curl
  - HFS
  - Kernel
  - libarchive
  - libsecurity
  - libxml
  - LoginUIFramework
  - PHP
  - Quartz Composer
  - QuickTime
  - Ruby
  - Security Framework
  - Time Machine
  - X11

Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7.

Multiple vulnerabilities has been found and corrected in curl :

curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. A work-around has been added to mitigate the problem (CVE-2011-3389).

curl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs (CVE-2012-0036).

The updated packages have been patched to correct these issues.

The remote host is affected by the vulnerability described in GLSA-201203-02 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been found in cURL:
      When zlib is enabled, the amount of data sent to an application for         automatic decompression is not restricted (CVE-2010-0734).
      When performing GSSAPI authentication, credential delegation is         always used (CVE-2011-2192).
      When SSL is enabled, cURL improperly disables the OpenSSL workaround         to mitigate an information disclosure vulnerability in the SSL and TLS         protocols (CVE-2011-3389).
      libcurl does not properly verify file paths for escape control         characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036).
  Impact :

    A remote attacker could entice a user or automated process to open a       specially crafted file or URL using cURL, possibly resulting in the       remote execution of arbitrary code, a Denial of Service condition,       disclosure of sensitive information, or unwanted actions performed via       the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able       to impersonate clients via GSSAPI requests.
  Workaround :

    There is no known workaround at this time.

reject URLs containing bad data (CVE-2012-0036)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update to curl fixes the following security issue :

  - Don't set SSL_OP_ALL to avoid potential DTLS sniffing     attacks. (CVE-2012-0036)

Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2011-3389     This update enables OpenSSL workarounds against the     'BEAST' attack. Additional information can be found in     the cURL advisory

  - CVE-2012-0036     Dan Fandrich discovered that cURL performs insufficient     sanitising when extracting the file path part of an URL.

Dan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
206854	NewStart CGSL MAIN 6.02 : curl Multiple Vulnerabilities (NS-SA-2024-0050)	Nessus	NewStart CGSL Local Security Checks	critical
75806	openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)	Nessus	SuSE Local Security Checks	high
74807	openSUSE Security Update : curl (openSUSE-2012-76) (BEAST)	Nessus	SuSE Local Security Checks	high
801396	cURL/libcURL Remote Input Validation Vulnerability	Log Correlation Engine	Web Clients	medium
6903	cURL/libcURL Remote Input Validation	Nessus Network Monitor	Web Clients	high
59851	HP System Management Homepage < 7.1.1 Multiple Vulnerabilities	Nessus	Web Servers	critical
6482	Mac OS X 10.7 < 10.7.4 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
59066	Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)	Nessus	MacOS X Local Security Checks	critical
58759	Mandriva Linux Security Advisory : curl (MDVSA-2012:058)	Nessus	Mandriva Local Security Checks	high
58212	GLSA-201203-02 : cURL: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	high
57897	Fedora 15 : curl-7.21.3-13.fc15 (2012-0888)	Nessus	Fedora Local Security Checks	high
57842	SuSE 10 Security Update : curl (ZYPP Patch Number 7937)	Nessus	SuSE Local Security Checks	high
57738	Debian DSA-2398-2 : curl - several vulnerabilities (BEAST)	Nessus	Debian Local Security Checks	high
57719	Fedora 16 : curl-7.21.7-6.fc16 (2012-0894)	Nessus	Fedora Local Security Checks	high
57689	Ubuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2012-0036

high

Tenable Plugins

critical

high

high

medium

high

critical

critical

critical

high

high

high

high

high

high

high