cURL/libcurl 7.x < 7.51.0 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9826

Synopsis

The host is running a version of cURL/libcurl that is vulnerable to multiple attack vectors.

Description

Versions of cURL and libcurl prior to 7.51.0 are affected by multiple vulnerabilities :

- A flaw exists in the International Domain Names (IDNA) handling when translating domain names to Punycode for DNS resolving. The issue is triggered as the outdated IDNA 2003 standard is used instead of IDNA 2008 for e.g. for the German 'LATIN SMALL LETTER SHARP S' Unicode character. This may result in incorrect translation for a domain name and in turn network traffic being directed to a different host than intended.
- A flaw exists in the 'ConnectionExists()' function in 'lib/url.c' that is triggered when checking credentials supplied for reused connections, as the comparison is case-insensitive. This may allow a remote attacker to authenticate without knowing the proper case of the username and password.
- An integer truncation flaw exists in the 'curl_easy_unescape()' function in 'lib/escape.c' that is triggered when handling overly large URLs. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
- An integer overflow condition exists in the 'base64_encode()' function in 'lib/base64.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
- A flaw exists in the 'alloc_addbyter()' function in 'lib/mprintf.c' that is triggered as overly long input is not properly validated when supplied to the 'curl_maprintf()' API method. This may allow a context-dependent attacker to free already freed memory and crash a process linked against the library.
- A use-after-free error exists in 'lib/cookie.c' that is triggered when handling shared cookies. This may allow a context-dependent attacker to dereference already freed memory and potentially disclose memory contents.
- A flaw exists in the 'parseurlandfillconn()' function in 'lib/url.c' that is triggered when parsing the authority component of an URL with the hostname part ending in a '#' character. This may allow a context-dependent attacker to establish a connection to a different host than intended.
- A double-free error exists in the 'read_data()' function in 'lib/security.c' that is triggered when handling Kerberos authentication. This may allow a context-dependent attacker to free already freed memory and have an unspecified impact.
- A flaw exists in the 'Curl_cookie_init()' function in 'lib/cookie.c' that is triggered when handling cookies. This may allow a context-dependent attacker to inject new cookies for arbitrary domains.
- An out-of-bounds read flaw exists in the 'parsedate()' function in 'lib/parsedate.c' that is triggered when handling dates. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An out-of-bounds access flaw exists in 'tool_urlglob.c' within the globbing feature. This may allow a context-dependent attacker to potentially disclose memory contents or execute arbitrary code.

Solution

Upgrade to cURL/libcurl 7.51.0 or later.

See Also

https://curl.haxx.se/docs/adv_20161102F.html

Plugin Details

Severity: High

ID: 9826

Family: Web Clients

Published: 12/9/2016

Updated: 3/6/2019

Nessus ID: 9764

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:haxx:curl

Patch Publication Date: 11/2/2016

Vulnerability Publication Date: 10/31/2016

Reference Information

CVE: CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625

BID: 94094, 94096, 94097, 94098, 94100, 94101, 94102, 94103, 94105, 94106, 94107