GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.

According to the versions of the wget package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A stack-based buffer overflow when processing chunked,     encoded HTTP responses was found in wget. By tricking     an unsuspecting user into connecting to a malicious     HTTP server, an attacker could exploit this flaw to     potentially execute arbitrary code.(CVE-2017-13089)

  - A flaw was found in the way Wget handled symbolic     links. A malicious FTP server could allow Wget running     in the mirror mode (using the '-m' command line option)     to write an arbitrary file to a location writable to by     the user running Wget, possibly leading to code     execution.(CVE-2014-4877)

  - A cookie injection flaw was found in wget. An attacker     can create a malicious website which, when accessed,     overrides cookies belonging to arbitrary     domains.(CVE-2018-0494)

  - It was found that wget used a file name provided by the     server for the downloaded file when following a HTTP     redirect to a FTP server resource. This could cause     wget to create a file with a different name than     expected, possibly allowing the server to execute     arbitrary code on the client.(CVE-2016-4971)

  - A heap-based buffer overflow, when processing chunked     encoded HTTP responses, was found in wget. By tricking     an unsuspecting user into connecting to a malicious     HTTP server, an attacker could exploit this flaw to     potentially execute arbitrary code.(CVE-2017-13090)

  - Race condition in wget 1.17 and earlier, when used in     recursive or mirroring mode to download a single file,     might allow remote servers to bypass intended access     list restrictions by keeping an HTTP connection     open.(CVE-2016-7098)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Palo Alto Networks PAN-OS running on the remote host is 6.1.x prior to 6.1.17, 7.0.x prior to 7.0.15, 7.1.x prior to 7.1.10, or 8.0.x prior to 8.0.2. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in the GNU wget component when handling     server redirects to FTP resources due to the destination     file name being obtained from the redirected URL and not     the original URL. An unauthenticated, remote attacker     can exploit this, via a specially crafted response, to     cause a different file name to be used than intended,     resulting in writing to arbitrary files. (CVE-2016-4971)

  - A flaw exists in the Linux kernel due to improper     determination of the rate of challenge ACK segments. An     unauthenticated, remote attacker can exploit this to     gain access to the shared counter, which makes it easier     to hijack TCP sessions using a blind in-window attack.
    This issue only affects version 7.1.x. (CVE-2016-5696)

  - An out-of-bounds read error exists when handling packets     using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An     unauthenticated, remote attacker can exploit this, via     specially crafted truncated packets, to cause a denial     of service condition. This issue does not affect version     6.1.x. (CVE-2017-3731)

  - A cross-site scripting (XSS) vulnerability exists in     GlobalProtect due to improper validation of     user-supplied input to unspecified request parameters     before returning it to users. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to execute arbitrary script code in a user's     browser session. This issue only affects version 7.0.x.
    (CVE-2017-7409)

  - A flaw exists in the web-based management interface due     to improper permission checks that allows an     authenticated, remote attacker to disclose sensitive     information. This issue only affects versions 6.1.x,     7.0.x, and 8.0.x. (CVE-2017-7644)

  - An information disclosure vulnerability exists in the     GlobalProtect external interface due to returning     different error messages when handling login attempts     with valid or invalid usernames. An unauthenticated,     remote attacker can exploit this to enumerate valid     user accounts. This issue only affects versions 6.1.x,     7.0.x, and 8.0.x. (CVE-2017-7945)

  - A denial of service vulnerability exists in the firewall     when handling stale responses to authentication requests     prior to selecting CHAP or PAP as the protocol. An     unauthenticated, remote attacker can exploit this to     cause the authentication process (authd) to stop     responding. This issue only affects versions 7.0.x and     7.1.x.

  - An information disclosure vulnerability exists when     viewing changes in the configuration log due to the     'Auth Password' and 'Priv Password' for the SNMPv3     server profile not being properly masked. A local     attacker can exploit this to disclose password     information. This issue only affects versions 7.1.x and     8.0.x.

  - A denial of service vulnerability exists due to a flaw     when handling HA3 messages. An unauthenticated, remote     attacker can exploit this to cause several processes to     stop. This issue only affects version 7.1.x.

According to the version of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - It was found that wget used a file name provided by the     server for the downloaded file when following a HTTP     redirect to a FTP server resource. This could cause     wget to create a file with a different name than     expected, possibly allowing the server to execute     arbitrary code on the client.(CVE-2016-4971)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - It was found that wget used a file name provided by the     server for the downloaded file when following an HTTP     redirect to a FTP server resource. This could cause wget     to create a file with a different name than expected,     possibly allowing the server to execute arbitrary code     on the client. (CVE-2016-4971)

An update for wget is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.

Security Fix(es) :

* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)

Red Hat would like to thank GNU wget project for reporting this issue.
Upstream acknowledges Dawid Golunski as the original reporter.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

From Red Hat Security Advisory 2016:2587 :

An update for wget is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.

Security Fix(es) :

* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)

Red Hat would like to thank GNU wget project for reporting this issue.
Upstream acknowledges Dawid Golunski as the original reporter.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

The remote host is affected by the vulnerability described in GLSA-201610-11 (GNU Wget: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Wget. Please review the       CVE identifier and bug reports referenced for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

This update for wget fixes the following issues :

  - CVE-2016-4971: A HTTP to FTP redirection file name     confusion vulnerability was fixed. (bsc#984060).

  - CVE-2016-7098: A potential race condition was fixed by     creating files with .tmp ext and making them accessible     to the current user only. (bsc#995964) Bug fixed :

  - Wget failed with basicauth: Failed writing HTTP request:
    Bad file descriptor (bsc#958342)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for wget fixes the following issues :

  - Fix for HTTP to a FTP redirection file name confusion     vulnerability (bsc#984060, CVE-2016-4971).

  - Work around a libidn vulnerability (bsc#937096,     CVE-2015-2059).

  - Fix for wget fails with basicauth: Failed writing HTTP     request: Bad file descriptor (bsc#958342)

This update was imported from the SUSE:SLE-12:Update update project.

This update for wget fixes the following issues :

  - Fix for HTTP to a FTP redirection file name confusion     vulnerability (bsc#984060, CVE-2016-4971).

  - Work around a libidn vulnerability (bsc#937096,     CVE-2015-2059).

  - Fix for wget fails with basicauth: Failed writing HTTP     request: Bad file descriptor (bsc#958342)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for wget fixes the following issue :

  - CVE-2016-4971: HTTP to a FTP redirection file name     confusion vulnerability (boo#984060).

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
(CVE-2016-4971)

Updated to 1.18 due to CVE-2016-4971

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

GNU Wget contains a flaw that is triggered when handling server redirects to FTP resources, as the destination filename is obtained from the redirected URL and not original URL. With a specially crafted response, a context-dependent attacker may cause another filename to be used than intended, effectively allowing the attacker to execute arbitrary code.

On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename. This behaviour was changed and now it works similarly as a redirect from HTTP to another HTTP resource so the original name is used as the destination file. To keep the previous behaviour the user must provide --trust-server-names.

For Debian 7 'Wheezy', these problems have been fixed in version 1.13.4-3+deb7u3.

We recommend that you upgrade your wget packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Giuseppe Scrivano reports :

On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename.

Dawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to overwrite local files.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

ID	Name	Product	Family	Severity
124920	EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)	Nessus	Huawei Local Security Checks	high
100419	Palo Alto Networks PAN-OS 6.1.x < 6.1.17 / 7.0.x < 7.0.15 / 7.1.x < 7.1.10 / 8.0.x < 8.0.2 Multiple Vulnerabilities	Nessus	Palo Alto Local Security Checks	medium
99826	EulerOS 2.0 SP1 : wget (EulerOS-SA-2016-1064)	Nessus	Huawei Local Security Checks	high
95865	Scientific Linux Security Update : wget on SL7.x x86_64 (20161103)	Nessus	Scientific Linux Local Security Checks	high
95333	CentOS 7 : wget (CESA-2016:2587)	Nessus	CentOS Local Security Checks	high
94708	Oracle Linux 7 : wget (ELSA-2016-2587)	Nessus	Oracle Linux Local Security Checks	high
94550	RHEL 7 : wget (RHSA-2016:2587)	Nessus	Red Hat Local Security Checks	high
94422	GLSA-201610-11 : GNU Wget: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
93714	SUSE SLES11 Security Update : wget (SUSE-SU-2016:2358-1)	Nessus	SuSE Local Security Checks	high
93430	openSUSE Security Update : wget (openSUSE-2016-1067)	Nessus	SuSE Local Security Checks	high
93369	SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:2226-1)	Nessus	SuSE Local Security Checks	high
92931	openSUSE Security Update : wget (openSUSE-2016-973)	Nessus	SuSE Local Security Checks	high
92222	Amazon Linux AMI : wget (ALAS-2016-720)	Nessus	Amazon Linux Local Security Checks	high
92186	Fedora 24 : wget (2016-e14374472f)	Nessus	Fedora Local Security Checks	high
92074	Fedora 23 : wget (2016-2db8cbc2fd)	Nessus	Fedora Local Security Checks	high
92068	Fedora 22 : wget (2016-24135dfe43)	Nessus	Fedora Local Security Checks	high
802003	wget < 1.18 Arbitrary Code Execution	Log Correlation Engine	Web Clients	medium
91903	Debian DLA-536-1 : wget security update	Nessus	Debian Local Security Checks	high
91734	FreeBSD : wget -- HTTP to FTP redirection file name confusion vulnerability (6df56c60-3738-11e6-a671-60a44ce6887b)	Nessus	FreeBSD Local Security Checks	high
91728	Ubuntu 14.04 LTS / 16.04 LTS : Wget vulnerability (USN-3012-1)	Nessus	Ubuntu Local Security Checks	high
91573	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : wget (SSA:2016-165-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2016-4971

high

Tenable Plugins

high

medium

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium

high

high

high

high