http://curl.haxx.se/docs/adv_20150429.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

APPLE-SA-2015-08-13-2

openSUSE-SU-2015:0861

DSA-3240

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

74408

1032233

USN-2591-1

https://kc.mcafee.com/corporate/index?page=content&id=SB10131

https://support.apple.com/kb/HT205031

According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - The default configuration for cURL and libcurl before     7.42.1 sends custom HTTP headers to both the proxy and     destination server, which might allow remote proxy     servers to obtain sensitive information by reading the     header contents.(CVE-2015-3153)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The default configuration for cURL and libcurl before     7.42.1 sends custom HTTP headers to both the proxy and     destination server, which might allow remote proxy     servers to obtain sensitive information by reading the     header contents.(CVE-2015-3153)

  - curl before version 7.51.0 uses outdated IDNA 2003     standard to handle International Domain Names and this     may lead users to potentially and unknowingly issue     network transfer requests to the wrong     host.(CVE-2016-8625)

  - Heap buffer overflow in the TFTP protocol handler in     cURL 7.19.4 to 7.65.3.(CVE-2019-5482)

  - Curl versions 7.14.1 through 7.61.1 are vulnerable to a     heap-based buffer over-read in the tool_msgs.c:voutf()     function that may result in information exposure and     denial of service.(CVE-2018-16842)

  - The ConnectionExists function in lib/url.c in libcurl     before 7.47.0 does not properly re-use     NTLM-authenticated proxy connections, which might allow     remote attackers to authenticate as other users via a     request, a similar issue to     CVE-2014-0015.(CVE-2016-0755)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.5. The installed version is affected by multiple vulnerabilities in the following components :

 - apache (CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2015-0228, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185)
 - apache_mod_php (CVE-2015-2783, CVE-2015-2787, CVE-2015-3307, CVE-2015-3329, CVE-2015-3330, CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, CVE-2015-4026, CVE-2015-4147, CVE-2015-4148)
 - Apple ID OD Plug-in (CVE-2015-3799)
 - AppleGraphicsControl (CVE-2015-5768)
 - Bluetooth (CVE-2015-3777, CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787)
 - bootp (CVE-2015-3778)
 - CloudKit (CVE-2015-3782)
 - CoreMedia Playback (CVE-2015-5777, CVE-2015-5778)
 - CoreText (CVE-2015-5761, CVE-2015-5755)
 - curl (CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150, CVE-2014-8151, CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153)
 - Data Detectors Engine (CVE-2015-5750)
 - Date & Time pref pane (CVE-2015-3757)
 - Dictionary Application (CVE-2015-3774)
 - DiskImages (CVE-2015-3800)
 - dyld (CVE-2015-3760)
 - FontParser (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
 - groff (CVE-2009-5044, CVE-2009-5078)
 - ImageIO (CVE-2015-5758, CVE-2015-5781, CVE-2015-5782)
 - Install Framework Legacy (CVE-2015-5784, CVE-2015-5754)
 - IOFireWireFamily (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
 - IOGraphics (CVE-2015-3770, CVE-2015-5783)
 - IOHIDFamily (CVE-2015-5774)
 - Kernel (CVE-2015-3766, CVE-2015-3768, CVE-2015-5747, CVE-2015-5748, CVE-2015-3806, CVE-2015-3803, CVE-2015-3802, CVE-2015-3805, CVE-2015-3776, CVE-2015-3761)
 - Libc (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
 - Libinfo (CVE-2015-5776)
 - libpthread (CVE-2015-5757)
 - libxml2 (CVE-2014-0191, CVE-2014-3660, CVE-2015-3807)
 - libxpc (CVE-2015-3795)
 - mail_cmds (CVE-2014-7844)
 - Notification Center OSX (CVE-2015-3764)
 - ntfs (CVE-2015-5763)
 - OpenSSH (CVE-2015-5600)
 - OpenSSL (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792)
 - perl (CVE-2013-7422)
 - PostgreSQL (CVE-2014-0067, CVE-2014-8161, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244)
 - python (CVE-2013-7040, CVE-2013-7338, CVE-2014-1912, CVE-2014-7185, CVE-2014-9365)
 - QL Office (CVE-2015-5773, CVE-2015-3784)
 - Quartz Composer Framework (CVE-2015-5771)
 - Quick Look (CVE-2015-3781)
 - QuickTime 7 (CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
 - SceneKit (CVE-2015-5772, CVE-2015-3783)
 - Security (CVE-2015-3775)
 - SMBClient (CVE-2015-3773)
 - Speech UI (CVE-2015-3794)
 - sudo (CVE-2013-1775, CVE-2013-1776, CVE-2013-2776, CVE-2013-2777, CVE-2014-0106, CVE-2014-9680)
 - tcpdump (CVE-2014-8767, CVE-2014-8769, CVE-2014-9140)
 - Text Formats (CVE-2015-3762)
 - udf (CVE-2015-3767)

 Note that successful exploitation of the most serious issues can result in arbitrary code execution.

cURL and libcurl before 7.42.0 are unpatched for a flaw due to the program transmitting sensitive HTTP server headers within proxied traffic to the server allowing a remote attacker, with access to the proxy, to gain access to potentially sensitive information.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple ID OD Plug-in
  - AppleGraphicsControl
  - Bluetooth
  - bootp
  - CloudKit
  - CoreMedia Playback
  - CoreText
  - curl
  - Data Detectors Engine
  - Date & Time pref pane
  - Dictionary Application
  - DiskImages
  - dyld
  - FontParser
  - groff
  - ImageIO
  - Install Framework Legacy
  - IOFireWireFamily
  - IOGraphics
  - IOHIDFamily
  - Kernel
  - Libc
  - Libinfo
  - libpthread
  - libxml2
  - libxpc
  - mail_cmds
  - Notification Center OSX
  - ntfs
  - OpenSSH
  - OpenSSL
  - perl
  - PostgreSQL
  - python
  - QL Office
  - Quartz Composer Framework
  - Quick Look
  - QuickTime 7
  - SceneKit
  - Security
  - SMBClient
  - Speech UI
  - sudo
  - tcpdump
  - Text Formats
  - udf 

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

curl was updated to fix five security issues.

The following vulnerabilities were fixed :

  - CVE-2015-3143: curl could re-use NTML authenticateds     connections

  - CVE-2015-3144: curl could access memory out of bounds     with zero length host names

  - CVE-2015-3145: curl cookie parser could access memory     out of boundary

  - CVE-2015-3148: curl could treat Negotiate as not     connection-oriented

  - CVE-2015-3153: curl could have sent sensitive HTTP     headers also to proxies

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The curl tool and libcurl4 library have been updated to fix several security and non-security issues.

The following vulnerabilities have been fixed :

CVE-2015-3143: Re-using authenticated connection when unauthenticated.
(bsc#927556)

CVE-2015-3148: Negotiate not treated as connection-oriented.
(bsc#927746)

CVE-2015-3153: Sensitive HTTP server headers also sent to proxies.
(bsc#928533)

The following non-security issue has been fixed :

git fails to clone from https repository. (bsc#927174)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

cURL reports :

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option.

When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.

curl was updated to 7.42.1 to fix one security issue.

The following vulnerability was fixed :

  - CVE-2015-3153: curl could have sent sensitive HTTP     headers also to proxies (bnc#928533)

Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP.
(CVE-2015-3143)

Hanno Bock discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144)

Hanno Bock discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3145)

Isaac Boukris discovered that when using Negotiate authenticated connections, curl could incorrectly authenticate the entire connection and not just specific HTTP requests. (CVE-2015-3148)

Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers both to servers and proxies by default, contrary to expectations. This issue only affected Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3153).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that cURL, an URL transfer library, if configured to use a proxy server with the HTTPS protocol, by default could send to the proxy the same HTTP headers it sends to the destination server, possibly leaking sensitive information.

ID	Name	Product	Family	Severity
132283	EulerOS 2.0 SP3 : curl (EulerOS-SA-2019-2566)	Nessus	Huawei Local Security Checks	medium
131902	EulerOS 2.0 SP2 : curl (EulerOS-SA-2019-2410)	Nessus	Huawei Local Security Checks	high
8981	Mac OS X < 10.10.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
8864	cURL / libcURL 7.x < 7.42.1 Proxied Traffic HTTP Server Header Remote Disclosure	Nessus Network Monitor	Web Clients	medium
85408	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
83988	SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2015:0990-1)	Nessus	SuSE Local Security Checks	high
83903	SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2015:0962-1)	Nessus	SuSE Local Security Checks	medium
83841	FreeBSD : cURL -- sensitive HTTP server headers also sent to proxies (27f742f6-03f4-11e5-aab1-d050996490d0)	Nessus	FreeBSD Local Security Checks	medium
83395	openSUSE Security Update : curl (openSUSE-2015-356)	Nessus	SuSE Local Security Checks	medium
83182	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : curl vulnerabilities (USN-2591-1)	Nessus	Ubuntu Local Security Checks	high
83146	Debian DSA-3240-1 : curl - security update	Nessus	Debian Local Security Checks	medium

CVE-2015-3153

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins

medium

high

high

medium

high

high

medium

medium

medium

high

medium