FreeBSD : curl -- expired pointer dereference vulnerability (b905dff4-e227-11ea-b0ea-08002728f74c)

high Nessus Plugin ID 139715

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

curl security problems :

CVE-2020-8231: wrong connect-only connection

An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection
- and instead pick another one the application has created since then.

CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and 'easy handle'. It remembers the connection using a pointer to the internal connectdata struct in memory.

If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a new connection might end up getting the exact same memory address as the now closed connect-only connection.

If after those operations, the application then wants to use the original transfer's connect-only setup to for example use curl_easy_send() to send raw data over that connection, libcurl could erroneously find an existing connection still being alive at the address it remembered since before even though this is now a new and different connection.

The application could then accidentally send data over that connection which wasn't at all intended for that recipient, entirely unknowingly.

Solution

Update the affected package.

See Also

https://curl.haxx.se/docs/security.html

https://curl.haxx.se/docs/CVE-2020-8231.html

http://www.nessus.org/u?20a6717e

Plugin Details

Severity: High

ID: 139715

File Name: freebsd_pkg_b905dff4e22711eab0ea08002728f74c.nasl

Version: 1.6

Type: local

Published: 8/20/2020

Updated: 2/23/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-8231

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:curl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/19/2020

Vulnerability Publication Date: 8/19/2020

Reference Information

CVE: CVE-2020-8231

IAVA: 2020-A-0389-S