Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.

An issue has been found in wget, a tool to retrieve files from the web. A race condition might occur as files rejected by an access list are kept on the disk for the duration of a HTTP connection.

For Debian 8 'Jessie', this problem has been fixed in version 1.16-1+deb8u7.

We recommend that you upgrade your wget packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the wget package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A stack-based buffer overflow when processing chunked,     encoded HTTP responses was found in wget. By tricking     an unsuspecting user into connecting to a malicious     HTTP server, an attacker could exploit this flaw to     potentially execute arbitrary code.(CVE-2017-13089)

  - A flaw was found in the way Wget handled symbolic     links. A malicious FTP server could allow Wget running     in the mirror mode (using the '-m' command line option)     to write an arbitrary file to a location writable to by     the user running Wget, possibly leading to code     execution.(CVE-2014-4877)

  - A cookie injection flaw was found in wget. An attacker     can create a malicious website which, when accessed,     overrides cookies belonging to arbitrary     domains.(CVE-2018-0494)

  - It was found that wget used a file name provided by the     server for the downloaded file when following a HTTP     redirect to a FTP server resource. This could cause     wget to create a file with a different name than     expected, possibly allowing the server to execute     arbitrary code on the client.(CVE-2016-4971)

  - A heap-based buffer overflow, when processing chunked     encoded HTTP responses, was found in wget. By tricking     an unsuspecting user into connecting to a malicious     HTTP server, an attacker could exploit this flaw to     potentially execute arbitrary code.(CVE-2017-13090)

  - Race condition in wget 1.17 and earlier, when used in     recursive or mirroring mode to download a single file,     might allow remote servers to bypass intended access     list restrictions by keeping an HTTP connection     open.(CVE-2016-7098)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Race condition in wget 1.17 and earlier, when used in     recursive or mirroring mode to download a single file,     might allow remote servers to bypass intended access     list restrictions by keeping an HTTP connection     open.(CVE-2016-7098)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the wget package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :

  - Race condition in wget 1.17 and earlier, when used in     recursive or mirroring mode to download a single file,     might allow remote servers to bypass intended access     list restrictions by keeping an HTTP connection     open.(CVE-2016-7098)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the wget package has been released.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3464-1 advisory.

    Antti Levomki, Christian Jalio, and Joonas Pihlaja discovered that Wget incorrectly handled certain HTTP     responses. A remote attacker could use this issue to cause Wget to crash, resulting in a denial of     service, or possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090)

    Dawid Golunski discovered that Wget incorrectly handled recursive or mirroring mode. A remote attacker     could possibly use this issue to bypass intended access list restrictions. (CVE-2016-7098)

    Orange Tsai discovered that Wget incorrectly handled CRLF sequences in HTTP headers. A remote attacker     could possibly use this issue to inject arbitrary HTTP headers. (CVE-2017-6508)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for wget fixes the following issues :

Security issues fixed :

  - CVE-2016-7098: Fixed a potential race condition by     creating files with .tmp ext and making them accessible     to the current user only. (bsc#995964)

Non security issues fixed :

  - bsc#1005091: Don't call xfree() on string returned by     usr_error() 

  - bsc#1012677: Add support for enforcing TLSv1.1 and     TLSv1.2 (TLS 1.2 support was already present, but it was     not enforcable).

This update was imported from the SUSE:SLE-12:Update update project.

This update for wget fixes the following issues: Security issues fixed :

  - CVE-2016-7098: Fixed a potential race condition by     creating files with .tmp ext and making them accessible     to the current user only. (bsc#995964) Non security     issues fixed :

  - bsc#1005091: Don't call xfree() on string returned by     usr_error()

  - bsc#1012677: Add support for enforcing TLSv1.1 and     TLSv1.2 (TLS 1.2 support was already present, but it was     not enforcable).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Dawid Golunski reports :

GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, is affected by a Race Condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with -A parameter.

This update for wget fixes the following issues :

  - CVE-2016-4971: A HTTP to FTP redirection file name     confusion vulnerability was fixed. (bsc#984060).

  - CVE-2016-7098: A potential race condition was fixed by     creating files with .tmp ext and making them accessible     to the current user only. (bsc#995964) Bug fixed :

  - Wget failed with basicauth: Failed writing HTTP request:
    Bad file descriptor (bsc#958342)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for wget fixes the following issues :

  - CVE-2016-7098: Fixed a potential race condition by     creating files with .tmp ext and making them accessible     to the current user only. (boo#995964)

ID	Name	Product	Family	Severity
133324	Debian DLA-2086-1 : wget security update	Nessus	Debian Local Security Checks	high
124920	EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)	Nessus	Huawei Local Security Checks	high
124636	EulerOS 2.0 SP3 : wget (EulerOS-SA-2019-1350)	Nessus	Huawei Local Security Checks	high
123731	EulerOS Virtualization 2.5.3 : wget (EulerOS-SA-2019-1263)	Nessus	Huawei Local Security Checks	high
123629	EulerOS 2.0 SP5 : wget (EulerOS-SA-2019-1155)	Nessus	Huawei Local Security Checks	high
123604	EulerOS 2.0 SP2 : wget (EulerOS-SA-2019-1130)	Nessus	Huawei Local Security Checks	high
121653	Photon OS 1.0: Wget PHSA-2016-0012	Nessus	PhotonOS Local Security Checks	high
104211	Ubuntu 14.04 LTS / 16.04 LTS : Wget vulnerabilities (USN-3464-1)	Nessus	Ubuntu Local Security Checks	high
99790	EulerOS 2.0 SP1 : wget (EulerOS-SA-2016-1027)	Nessus	Huawei Local Security Checks	high
96278	openSUSE Security Update : wget (openSUSE-2017-9)	Nessus	SuSE Local Security Checks	high
96140	SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:3268-1)	Nessus	SuSE Local Security Checks	high
95418	FreeBSD : wget -- Access List Bypass / Race Condition (479c5b91-b6cc-11e6-a04e-3417eb99b9a0)	Nessus	FreeBSD Local Security Checks	high
93714	SUSE SLES11 Security Update : wget (SUSE-SU-2016:2358-1)	Nessus	SuSE Local Security Checks	high
93436	openSUSE Security Update : wget (openSUSE-2016-1073)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2016-7098

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high