In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

The remote NewStart CGSL host, running version MAIN 6.02, has curl packages installed that are affected by multiple vulnerabilities:

  - The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is     enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary     requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3)     execute arbitrary commands via a redirect to an scp: URL. (CVE-2009-0037)

  - The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl     and other products, always performs credential delegation during GSSAPI authentication, which allows     remote servers to impersonate clients via GSSAPI requests. (CVE-2011-2192)

  - curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a     pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as     demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol. (CVE-2012-0036)

  - Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl     and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote     attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in     the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. (CVE-2013-0249)

  - The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path     domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the     domain of a URL. (CVE-2013-1944)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.

The remote host is affected by the vulnerability described in GLSA-201709-14 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers referenced below for details.
  Impact :

    Remote attackers could cause a Denial of Service condition, obtain       sensitive information, or bypass intended restrictions for TLS sessions.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X version 10.x prior to 10.12.6, and is affected by multiple vulnerabilities :

 - An overflow condition exists in the curl component in the 'dprintf_formatf()' function that is triggered when handling floating point conversion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9586)
 - A flaw exits in the curl component in the 'randit()' function within file lib/rand.c due to improper initialization of the 32-bit random value, which is used, for example, to generate Digest and NTLM authentication nonces, resulting in weaker cryptographic operations than expected. (CVE-2016-9594)
 - A flaw exists in the curl component in the 'allocate_conn()' function in lib/url.c when using the OCSP stapling feature for checking a X.509 certificate revocation status. The issue is triggered as the request option for OCSP stapling is not properly passed to the TLS library, resulting in no error being returned even when no proof of the validity of the certificate could be provided. A man-in-the-middle attacker can exploit this to provide a revoked certificate. (CVE-2017-2629)
 - A remote code execution vulnerability exists in the CoreAudio component due to improper validation of user-supplied input when handling movie files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted movie file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7008)
 - A memory corruption issue exists in the IOUSBFamily component due to improper validation of user-supplied input. A local attacker can exploit this, via a specially crafted application, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7009)
 - Multiple out-of-bounds read errors exist in the libxml2 component due to improper handling of specially crafted XML documents. An unauthenticated, remote attacker can exploit these to disclose user information. (CVE-2017-7010, CVE-2017-7013)
 - Multiple memory corruption issues exist in the Intel Graphics Driver component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with elevated privileges. (CVE-2017-7014, CVE-2017-7017, CVE-2017-7035, CVE-2017-7044)
 - A remote code execution vulnerability exists in the Audio component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7015)
 - Multiple remote code execution vulnerabilities exist in the afclip component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit these vulnerabilities, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7016, CVE-2017-7033)
 - A memory corruption issue exists in the AppleGraphicsPowerManagement component due to improper validation of input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7021)
 - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7022, CVE-2017-7024, CVE-2017-7026)
 - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with kernel privileges. (CVE-2017-7023, CVE-2017-7025, CVE-2017-7027, CVE-2017-7069)
 - Multiple unspecified flaws exist in the kernel due to a failure to properly sanitize input. A local attacker can exploit these issues, via a specially crafted application, to disclose restricted memory contents. (CVE-2017-7028, CVE-2017-7029, CVE-2017-7067)
 - A flaw exists in the Foundation component due to improper validation of input. A unauthenticated, remote attacker can exploit this, by convincing a user to open specially crafted file, to execute arbitrary code. (CVE-2017-7031)
 - A memory corruption issue exists in the 'kext tools' component due to improper validation of input. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2017-7032)
 - Multiple unspecified flaws exist in the Intel Graphics Driver component due to a failure to properly sanitize input. A local attacker can exploit these issues, via a specially crafted application, to disclose restricted memory contents. (CVE-2017-7036, CVE-2017-7045)
 - A memory corruption issue exists in the libxpc component due to improper validation of input. A local attacker can exploit this issue, via a specifically crafted application, to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7047)
 - Multiple memory corruption issues exist in the Bluetooth component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2017-7050, CVE-2017-7051)
 - A memory corruption issue exists in the Bluetooth component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2017-7054)
 - A buffer overflow condition exists in the Contacts component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7062)
 - A buffer overflow condition exists in the libarchive component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted archive file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7068)
 - A certificate validation bypass vulnerability exists in the curl component due to the program attempting to resume TLS sessions even if the client certificate fails. An unauthenticated, remote attacker can exploit this to bypass validation mechanisms. (CVE-2017-7468)
 - A memory corruption issue exists in the Broadcom BCM43xx family Wi-Fi Chips component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-9417)


The remote host is running Mac OS X 10.10.5, Mac OS X 10.11.6, or macOS 10.12.5 and is missing a security update. It is therefore, affected by multiple vulnerabilities :

  - An overflow condition exists in the curl component in     the dprintf_formatf() function that is triggered when     handling floating point conversion. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-9586)

  - A flaw exits in the curl component in the randit()     function within file lib/rand.c due to improper     initialization of the 32-bit random value, which is     used, for example, to generate Digest and NTLM     authentication nonces, resulting in weaker cryptographic     operations than expected. (CVE-2016-9594)

  - A flaw exists in the curl component in the     allocate_conn() function in lib/url.c when using the     OCSP stapling feature for checking a X.509 certificate     revocation status. The issue is triggered as the request     option for OCSP stapling is not properly passed to the     TLS library, resulting in no error being returned even     when no proof of the validity of the certificate could     be provided. A man-in-the-middle attacker can exploit     this to provide a revoked certificate. (CVE-2017-2629)

  - A remote code execution vulnerability exists in the     CoreAudio component due to improper validation of     user-supplied input when handling movie files. An     unauthenticated, remote attacker can exploit this, by     convincing a user to play a specially crafted movie     file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-7008)

  - A memory corruption issue exists in the IOUSBFamily     component due to improper validation of user-supplied     input. A local attacker can exploit this, via a     specially crafted application, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2017-7009)

  - Multiple out-of-bounds read errors exist in the libxml2     component due to improper handling of specially crafted     XML documents. An unauthenticated, remote attacker can     exploit these to disclose user information.
    (CVE-2017-7010, CVE-2017-7013)

  - Multiple memory corruption issues exist in the Intel     Graphics Driver component due to improper validation of     input. A local attacker can exploit these issues to     execute arbitrary code with elevated privileges.
    (CVE-2017-7014, CVE-2017-7017, CVE-2017-7035,     CVE-2017-7044)

  - A remote code execution vulnerability exists in the     Audio component due to improper validation of     user-supplied input when handling audio files. An     unauthenticated, remote attacker can exploit this, by     convincing a user to play a specially crafted audio     file, to execute arbitrary code. (CVE-2017-7015)

  - Multiple remote code execution vulnerabilities exist in     the afclip component due to improper validation of     user-supplied input when handling audio files. An     unauthenticated, remote attacker can exploit these     vulnerabilities, by convincing a user to play a     specially crafted audio file, to execute arbitrary     code. (CVE-2017-7016, CVE-2017-7033)

  - A memory corruption issue exists in the     AppleGraphicsPowerManagement component due to improper     validation of input. A local attacker can exploit this     to cause a denial of service condition or the execution     of arbitrary code with system privileges.
    (CVE-2017-7021)

  - Multiple memory corruption issues exist in the kernel     due to improper validation of input. A local attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code with system     privileges. (CVE-2017-7022, CVE-2017-7024,     CVE-2017-7026)

  - Multiple memory corruption issues exist in the kernel     due to improper validation of input. A local attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code with kernel     privileges. (CVE-2017-7023, CVE-2017-7025,     CVE-2017-7027, CVE-2017-7069)

  - Multiple unspecified flaws exist in the kernel due to a     failure to properly sanitize input. A local attacker can     exploit these issues, via a specially crafted     application, to disclose restricted memory contents.
    (CVE-2017-7028, CVE-2017-7029, CVE-2017-7067)

  - A flaw exists in the Foundation component due to     improper validation of input. A unauthenticated, remote     attacker can exploit this, by convincing a user to open     specially crafted file, to execute arbitrary code.
    (CVE-2017-7031)

  - A memory corruption issue exists in the 'kext tools'     component due to improper validation of input. A local     attacker can exploit this to execute arbitrary code with     elevated privileges. (CVE-2017-7032)

  - Multiple unspecified flaws exist in the Intel Graphics     Driver component due to a failure to properly sanitize     input. A local attacker can exploit these issues, via a     specially crafted application, to disclose restricted     memory contents. (CVE-2017-7036, CVE-2017-7045)

  - A memory corruption issue exists in the libxpc component     due to improper validation of input. A local attacker     can exploit this issue, via a specifically crafted     application, to cause a denial of service condition or     the execution of arbitrary code with system privileges.
    (CVE-2017-7047)

  - Multiple memory corruption issues exist in the     Bluetooth component due to improper validation of input.
    A local attacker can exploit these issues to execute     arbitrary code with system privileges. (CVE-2017-7050,     CVE-2017-7051)

  - A memory corruption issue exists in the Bluetooth     component due to improper validation of input. A local     attacker can exploit these issues to execute arbitrary     code with system privileges. (CVE-2017-7054)

  - A buffer overflow condition exists in the Contacts     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-7062)

  - A buffer overflow condition exists in the libarchive     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via a specially crafted archive file, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-7068)

  - A certificate validation bypass vulnerability exists in     the curl component due to the program attempting to     resume TLS sessions even if the client certificate     fails. An unauthenticated, remote attacker can exploit     this to bypass validation mechanisms. (CVE-2017-7468)

  - A memory corruption issue exists in the Broadcom BCM43xx     family Wi-Fi Chips component that allows an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2017-9417)

- fix switching off SSL session id when client cert is     used (CVE-2017-7468)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that curl incorrectly handled client certificates when resuming a TLS session. A remote attacker could use this to hijack a previously authenticated connection.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

cURL security advisory :

libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).

libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster.

This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

ID	Name	Product	Family	Severity
206854	NewStart CGSL MAIN 6.02 : curl Multiple Vulnerabilities (NS-SA-2024-0050)	Nessus	NewStart CGSL Local Security Checks	critical
106504	pfSense < 2.3.4 Multiple Vulnerabilities (SA-17_04)	Nessus	Firewalls	critical
103282	GLSA-201709-14 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
700170	Mac OS X 10.x < 10.12.6 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
101957	macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-003)	Nessus	MacOS X Local Security Checks	high
101616	Fedora 26 : curl (2017-3eec07cb06)	Nessus	Fedora Local Security Checks	high
99582	Ubuntu 17.04 : curl vulnerability (USN-3262-1)	Nessus	Ubuntu Local Security Checks	high
99552	FreeBSD : cURL -- TLS session resumption client cert bypass (again) (3e2e9b44-25ce-11e7-a175-939b30e0836d)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2017-7468

high

Tenable Plugins

critical

critical

high

critical

high

high

high

high