http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

94094

1037192

RHSA-2018:2486

RHSA-2018:3558

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8616

https://curl.haxx.se/CVE-2016-8616.patch

https://curl.haxx.se/docs/adv_20161102B.html

GLSA-201701-47

https://www.tenable.com/security/tns-2016-21

Description of changes:

[7.29.0-51.0.1]
- Security Fixes [OraBug: 28939992]
- CVE-2016-8615 cookie injection for other servers (https://curl.haxx.se/docs/CVE-2016-8615.html)
- CVE-2016-8616 case insensitive password comparison (https://curl.haxx.se/docs/CVE-2016-8616.html)
- CVE-2016-8617 OOB write via unchecked multiplication (https://curl.haxx.se/docs/CVE-2016-8617.html)
- CVE-2016-8618 double-free in curl_maprintf (https://curl.haxx.se/docs/CVE-2016-8618.html)
- CVE-2016-8619 double-free in krb5 code (https://curl.haxx.se/docs/CVE-2016-8619.html)
- CVE-2016-8621 curl_getdate read out of bounds (https://curl.haxx.se/docs/CVE-2016-8621.html)
- CVE-2016-8622 URL unescape heap overflow via integer truncation (https://curl.haxx.se/docs/CVE-2016-8622.html)
- CVE-2016-8623 Use-after-free via shared cookies (https://curl.haxx.se/docs/CVE-2016-8623.html)
- CVE-2016-8624 invalid URL parsing with # (https://curl.haxx.se/docs/CVE-2016-8624.html)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - curl version curl 7.20.0 to and including curl 7.59.0     contains a CWE-126: Buffer Over-read vulnerability in     denial of service that can result in curl can be     tricked into reading data beyond the end of a heap     based buffer used to store downloaded RTSP     content..(CVE-2018-1000301)

  - It was found that the libcurl library did not check the     client certificate when choosing the TLS connection to     reuse. An attacker could potentially use this flaw to     hijack the authentication of the connection by     leveraging a previously created connection with a     different client certificate.(CVE-2016-5420)

  - It was discovered that libcurl could incorrectly reuse     NTLM-authenticated connections for subsequent     unauthenticated requests to the same host. If an     application using libcurl established an     NTLM-authenticated connection to a server, and sent     subsequent unauthenticated requests to the same server,     the unauthenticated requests could be sent over the     NTLM-authenticated connection, appearing as if they     were sent by the NTLM authenticated     user.(CVE-2015-3143)

  - libcurl may read outside of a heap allocated buffer     when doing FTP. When libcurl connects to an FTP server     and successfully logs in (anonymous or not), it asks     the server for the current directory with the `PWD`     command. The server then responds with a 257 response     containing the path, inside double quotes. The returned     path name is then kept by libcurl for subsequent uses.
    Due to a flaw in the string parser for this directory     name, a directory name passed like this but without a     closing double quote would lead to libcurl not adding a     trailing NUL byte to the buffer holding the name. When     libcurl would then later access the string, it could     read beyond the allocated heap buffer and crash or     wrongly access data beyond the buffer, thinking it was     part of the path. A malicious server could abuse this     fact and effectively prevent libcurl-based clients to     work with it - the PWD command is always issued on new     FTP connections and the mistake has a high chance of     causing a segfault. The simple fact that this has issue     remained undiscovered for this long could suggest that     malformed PWD responses are rare in benign servers. We     are not aware of any exploit of this flaw. This bug was     introduced in commit     415d2e7cb7(https://github.com/curl/curl/commit/415d2e7c     b7), March 2005. In libcurl version 7.56.0, the parser     always zero terminates the string but also rejects it     if not terminated properly with a final double     quote.(CVE-2017-1000254)

  - It was discovered that libcurl could incorrectly reuse     Negotiate authenticated HTTP connections for subsequent     requests. If an application using libcurl established a     Negotiate authenticated HTTP connection to a server and     sent subsequent requests with different credentials,     the connection could be re-used with the initial set of     credentials instead of using the new     ones.(CVE-2015-3148)

  - Heap-based buffer overflow in the curl_easy_unescape     function in lib/escape.c in cURL and libcurl 7.7     through 7.30.0 allows remote attackers to cause a     denial of service (application crash) or possibly     execute arbitrary code via a crafted string ending in a     ''%'' (percent) character.(CVE-2013-2174)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8616)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8619)

  - It was found that curl and libcurl might send their     Authentication header to a third party HTTP server upon     receiving an HTTP REDIRECT reply. This could leak     authentication token to external     entities.(CVE-2018-1000007)

  - A flaw was found in the way the libcurl library     performed the duplication of connection handles. If an     application set the CURLOPT_COPYPOSTFIELDS option for a     handle, using the handle's duplicate could cause the     application to crash or disclose a portion of its     memory.(CVE-2014-3707)

  - Multiple integer overflow flaws leading to heap-based     buffer overflows were found in the way curl handled     escaping and unescaping of data. An attacker could     potentially use these flaws to crash an application     using libcurl by sending a specially crafted input to     the affected libcurl functions.(CVE-2016-7167)

  - When doing a TFTP transfer and curl/libcurl is given a     URL that contains a very long file name (longer than     about 515 bytes), the file name is truncated to fit     within the buffer boundaries, but the buffer size is     still wrongly updated to use the untruncated length.
    This too large value is then used in the sendto() call,     making curl attempt to send more data than what is     actually put into the buffer. The endto() function will     then read beyond the end of the heap based buffer. A     malicious HTTP(S) server could redirect a vulnerable     libcurl-using client to a crafted TFTP URL (if the     client hasn't restricted which protocols it allows     redirects to) and trick it to send private memory     contents to a remote server over UDP. Limit curl's     redirect protocols with --proto-redir and libcurl's     with CURLOPT_REDIR_PROTOCOLS.(CVE-2017-1000100)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. (CVE-2016-8616)

Impact

An attacker can cause an unused connection with credentials to be reused if the attacker knows the case-insensitive version of the correct password. Local access to an affected F5 system is necessary to trigger the exploit from the affected F5 system.

The version of Oracle Secure Global Desktop installed on the remote host is 4.71, 5.2, or 5.3 and is missing a security patch from the April 2017 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities :

  - An integer overflow condition exists in the Window System     (X11) subcomponent in multiple functions in X.Org libExt     due to improper validation of user-supplied input when     calculating the amount of memory required to handle     return data. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     the execution of arbitrary code. Note that this issue     only affects version 4.71. (CVE-2013-1982)

  - An integer overflow condition exists in X.Org libXfixes     in the XFixesGetCursorImage() function when handling     large cursor dimensions or name lengths due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2013-1983)

  - An integer overflow condition exists within multiple     functions in X.Org libXi due to improper validation of     user-supplied input when calculating the amount of     memory needed to handle return data. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2013-1984)

  - An integer overflow condition exists in X.Org     libXinerama in the XineramaQueryScreens() function due     to improper validation of user-supplied input when     calculating the amount of memory needed to handle return     data. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition or the     execution of arbitrary code. (CVE-2013-1985)

  - An integer overflow condition exists in multiple     functions in X.Org libXrandr due to improper validation     of user-supplied input when calculating the amount of     memory needed to handle return data. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2013-1986)

  - An integer overflow condition exists in multiple     functions in X.Org libXrender due to improper validation     of user-supplied input when calculating the amount of     memory needed to handle return data. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2013-1987)

  - An overflow condition exists in X.Org libXi in the     XListInputDevices() function, related to an unexpected     sign extension, due to improper checking of the amount     of memory needed to handle returned data when converting     smaller integer types to larger ones. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2013-1995)

  - An overflow condition exists within multiple functions     in X.Org LibXi due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a specially crafted length or     index, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2013-1998)

  - An overflow condition exists in X.Org LibXt in the
    _XtResourceConfigurationEH() function due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a specially     crafted length or index, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2013-2002)

  - An integer overflow condition exists in X.Org libXcursor     in the  _XcursorFileHeaderCreate() function due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this, via     a specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2013-2003)

  - An uninitialized pointer flaw exists within multiple     functions in X.Org LibXt due to a failure to check for     proper initialization of pointers. An unauthenticated,     remote attacker can exploit this to corrupt memory,     resulting in a denial of service condition or the     possible execution of arbitrary code. (CVE-2013-2005)

  - A flaw exists in the Application Server subcomponent     (Apache Tomcat) due to a failure to process passwords     when they are paired with non-existent usernames. An     authenticated, remote attacker can exploit this, via a     timing attack, to enumerate user account names.
    (CVE-2016-0762)

  - Multiple integer overflow conditions exist in s3_srvr.c,     ssl_sess.c, and t1_lib.c due to improper use of pointer     arithmetic for heap-buffer boundary checks. An     unauthenticated, remote attacker can exploit these to     cause a denial of service. (CVE-2016-2177)

  - An information disclosure vulnerability exists in the     dsa_sign_setup() function in dsa_ossl.c due to a failure     to properly ensure the use of constant-time operations.
    An unauthenticated, remote attacker can exploit this,     via a timing side-channel attack, to disclose DSA key     information. (CVE-2016-2178)

  - A denial of service vulnerability exists in the DTLS     implementation due to a failure to properly restrict the     lifetime of queue entries associated with unused     out-of-order messages. An unauthenticated, remote     attacker can exploit this, by maintaining multiple     crafted DTLS sessions simultaneously, to exhaust memory.
    (CVE-2016-2179)

  - An out-of-bounds read error exists in the X.509 Public     Key Infrastructure Time-Stamp Protocol (TSP)     implementation. An unauthenticated, remote attacker can     exploit this, via a crafted time-stamp file that is     mishandled by the 'openssl ts' command, to cause a     denial of service or to disclose sensitive information.
    (CVE-2016-2180)

  - A denial of service vulnerability exists in the     Anti-Replay feature in the DTLS implementation due to     improper handling of epoch sequence numbers in records.
    An unauthenticated, remote attacker can exploit this,     via spoofed DTLS records, to cause legitimate packets to     be dropped. (CVE-2016-2181)

  - An overflow condition exists in the BN_bn2dec() function     in bn_print.c due to improper validation of     user-supplied input when handling BIGNUM values. An     unauthenticated, remote attacker can exploit this to     crash the process. (CVE-2016-2182)

  - A vulnerability exists, known as SWEET32, in the 3DES     and Blowfish algorithms due to the use of weak 64-bit     block ciphers by default. A man-in-the-middle attacker     who has sufficient resources can exploit this     vulnerability, via a 'birthday' attack, to detect a     collision that leaks the XOR between the fixed secret     and a known plaintext, allowing the disclosure of the     secret text, such as secure HTTPS cookies, and possibly     resulting in the hijacking of an authenticated session.
    (CVE-2016-2183)

  - A flaw exists in the Core subcomponent, specifically in     the libcurl library, due to improper validation of TLS     certificates. An authenticated, remote attacker with the     ability to intercept network traffic can exploit this     issue to disclose or manipulate transmitted data by     spoofing the TLS/SSL server using a certificate that     appears valid. Note that this issue only affects     versions 5.2 and 5.3. (CVE-2016-3739)

  - A flaw exists in cURL and libcurl when loading dynamic     link library (DLL) files security.dll, secur32.dll, or     ws2_32.dll due searching an insecure path which may not     be trusted or under user control. A local attacker can     exploit this, via a Trojan DLL file placed in the search     path, to execute arbitrary code with the privileges of     the user running the program. (CVE-2016-4802)

  - A security bypass vulnerability exists in Apache Tomcat     due to an unspecified flaw related to web applications.
    A local attacker can exploit this, via a utility method     that is available to web applications, to bypass a     configured SecurityManager. (CVE-2016-5018)

  - An out-of-bounds access error exists in the Window     System (X11) subcomponent, specifically in the     XvQueryAdaptors() function in file Xv.c, when handling     server responses. An authenticated, remote attacker can     exploit this to impact confidentiality, integrity, and     availability. (CVE-2016-5407)

  - A use-after-free error exists in cURL and libcurl within     file lib/vtls/vtls.c due to the program attempting to     resume TLS sessions even if the client certificate     fails. An unauthenticated, remote attacker can exploit     this to bypass validation mechanisms, allowing the     attacker to possibly control which connection is used.
    (CVE-2016-5419)

  - A flaw exists in cURL and libcurl in the     Curl_ssl_config_matches() function within file     lib/vtls/vtls.c due to the program reusing TLS     connections with different client certificates. An     unauthenticated, remote attacker can exploit this to     disclose sensitive cross-realm information.
    (CVE-2016-5420)

  - A use-after-free error exists in cURL and libcurl in     in the close_all_connections() function within file     lib/multi.c due to connection pointers not being     properly cleared. An unauthenticated, remote attacker     can exploit this to have an unspecified impact on     confidentiality, integrity, and availability.
    (CVE-2016-5421)

  - A flaw exists in the tls_decrypt_ticket() function     in t1_lib.c due to improper handling of ticket HMAC     digests. An unauthenticated, remote attacker can exploit     this, via a ticket that is too short, to crash the     process, resulting in a denial of service.
    (CVE-2016-6302)

  - An integer overflow condition exists in the     MDC2_Update() function in mdc2dgst.c due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in a denial of service     condition or possibly the execution of arbitrary code.
    (CVE-2016-6303)

  - A flaw exists in the ssl_parse_clienthello_tlsext()     function in t1_lib.c due to improper handling of overly     large OCSP Status Request extensions from clients. An     unauthenticated, remote attacker can exploit this, via     large OCSP Status Request extensions, to exhaust memory     resources, resulting in a denial of service condition.
    (CVE-2016-6304)

  - A flaw exists in the SSL_peek() function in     rec_layer_s3.c due to improper handling of empty     records. An unauthenticated, remote attacker can exploit     this, by triggering a zero-length record in an SSL_peek     call, to cause an infinite loop, resulting in a denial     of service condition. (CVE-2016-6305)

  - An out-of-bounds read error exists in the certificate     parser that allows an unauthenticated, remote attacker     to cause a denial of service via crafted certificate     operations. (CVE-2016-6306)

  - A denial of service vulnerability exists in the     state-machine implementation due to a failure to check     for an excessive length before allocating memory. An     unauthenticated, remote attacker can exploit this, via a     crafted TLS message, to exhaust memory resources.
    (CVE-2016-6307)

  - A denial of service vulnerability exists in the DTLS     implementation due to improper handling of excessively     long DTLS messages. An unauthenticated, remote attacker     can exploit this, via a crafted DTLS message, to exhaust     available memory resources. (CVE-2016-6308)

  - A flaw exists in Apache Tomcat within SecurityManager     due to improper restriction of access to system     properties by the configuration files system property     replacement feature. A local attacker can exploit this,     via a crafted web application, to bypass SecurityManager     restrictions and disclose system properties.
    (CVE-2016-6794)

  - A flaw exists in Apache Tomcat that allows a local     attacker to bypass a configured SecurityManager by     changing the configuration parameters for the JSP     Servlet. (CVE-2016-6796)

  - A flaw exists in Apache Tomcat due to a failure to limit     web application access to global JNDI resources. A local     attacker can exploit this to gain unauthorized access to     resources. (CVE-2016-6797)

  - A flaw exists in Apache Tomcat when handling request     lines containing certain invalid characters. An     unauthenticated, remote attacker can exploit this to     conduct HTTP response splitting attacks by injecting     additional headers into responses. (CVE-2016-6816)

  - An infinite loop condition exists in Apache Tomcat in     the HTTP/2 parser when handling overly large headers. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to cause a denial of service     condition. (CVE-2016-6817)

  - A carry propagation error exists in the     Broadwell-specific Montgomery multiplication procedure     when handling input lengths divisible by but longer than     256 bits. This can result in transient authentication     and key negotiation failures or reproducible erroneous     outcomes of public-key operations with specially crafted     input. A man-in-the-middle attacker can possibly exploit     this issue to compromise ECDH key negotiations that     utilize Brainpool P-512 curves. (CVE-2016-7055)

  - A flaw exists in cURL in the Curl_cookie_init() function     within file lib/cookie.c when handling cookies. An     unauthenticated, remote attacker can exploit this to     inject new cookies for arbitrary domains.
    (CVE-2016-8615)

  - A flaw exists in cURL in the ConnectionExists() function     within file lib/url.c when checking credentials supplied     for reused connections due to the comparison being     case-insensitive. An unauthenticated, remote attacker     can exploit this to authenticate without knowing the     proper case of the username and password.
    (CVE-2016-8616)

  - An integer overflow condition exists in cURL in the     base64_encode() function within file lib/base64.c due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-8617)

  - A denial of service vulnerability exists in cURL in the     alloc_addbyter() function within file lib/mprintf.c due     to improper validation of overly long input when it is     supplied to the curl_maprintf() API method. An     unauthenticated, remote attacker can exploit this to     free already freed memory and thereby crash the program.
    (CVE-2016-8618)

  - A double-free error exists in cURL in the read_data()     function within file lib/security.c when handling     Kerberos authentication. An unauthenticated, remote     attacker can exploit this to free already freed memory,     resulting in an unspecified impact on confidentiality,     integrity, and availability. (CVE-2016-8619)

  - An out-of-bounds access error exists in cURL in file     tool_urlglob.c within the globbing feature. An     unauthenticated, remote attacker can exploit this to     disclose memory contents or execute arbitrary code.
    (CVE-2016-8620)

  - An out-of-bounds error exists in cURL in the parsedate()     function within file lib/parsedate.c when handling     dates. An unauthenticated, remote attacker can exploit     this to disclose memory contents or cause a denial of     service condition. (CVE-2016-8621)

  - An integer truncation error exists in cURL in the     curl_easy_unescape() function within file lib/escape.c     when handling overly large URLs. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-8622)

  - A use-after-free error exists in cURL within file     lib/cookie.c when handling shared cookies. An     unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-8623)

  - A flaw exists in cURL in the parseurlandfillconn()     function within file lib/url.c when parsing the     authority component of a URL with the host name part     ending in a '#' character. An unauthenticated, remote     attacker can exploit this to establish a connection to     a different host than intended. (CVE-2016-8624)

  - A flaw exists in cURL within International Domain Names     (IDNA) handling when translating domain names to puny     code for DNS resolving due to using the outdated IDNA     2003 standard instead of the IDNA 2008 standard, which     can result in incorrect translation of a domain name.
    An unauthenticated, remote attacker can exploit this to     cause network traffic to be redirected to a different     host than intended. (CVE-2016-8625)

  - A flaw exists in Apache Tomcat within the     catalina/mbeans/JmxRemoteLifecycleListener.java class     that is triggered during the deserialization of Java     objects. An unauthenticated, remote attacker can exploit     this to execute arbitrary code. (CVE-2016-8735)

  - A flaw exists in the Web Server component (Apache HTTP     Server) when handling whitespace patterns in User-Agent     headers. An authenticated, remote attacker can exploit     this, via a specially crafted User-Agent header, to     cause incorrect processing of sequences of requests,     resulting in incorrectly interpreting responses,     polluting the cache, or disclosing content from one     request to a second downstream user-agent.
    (CVE-2016-8743)

  - A NULL pointer dereference flaw exists within file     ssl/statem/statem_clnt.c when handling parameters for     the DHE or ECDHE key exchanges. An unauthenticated,     remote attacker can exploit this, via specially crafted     parameters, to cause a denial of service condition.
    (CVE-2017-3730)

  - A out-of-bounds read error exists exists in the Core     subcomponent, specifically in OpenSSL, when handling     packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers.
    An unauthenticated, remote attacker can exploit this,     via specially crafted truncated packets, to cause a     denial of service condition. (CVE-2017-3731)

  - A carry propagating error exists in the x86_64     Montgomery squaring implementation that may cause the     BN_mod_exp() function to produce incorrect results. An     unauthenticated, remote attacker with sufficient     resources can exploit this to obtain sensitive     information regarding private keys. Note that this issue     is very similar to CVE-2015-3193. Moreover, the attacker     would additionally need online access to an unpatched     system using the target private key in a scenario with     persistent DH parameters and a private key that is     shared between multiple clients. For example, this can     occur by default in OpenSSL DHE based SSL/TLS cipher     suites. (CVE-2017-3732)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple integer overflows in the (1) curl_escape, (2)     curl_easy_escape, (3) curl_unescape, and (4)     curl_easy_unescape functions in libcurl before 7.50.3     allow attackers to have unspecified impact via a string     of length 0xffffffff, which triggers a heap-based     buffer overflow.(CVE-2016-7167)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be     provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE
    -2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV     E-2016-8623,CVE-2016-8624)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-47 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers and bug reports referenced for details.
  Impact :

    Remote attackers could conduct a Man-in-the-Middle attack to obtain       sensitive information, cause a Denial of Service condition, or execute       arbitrary code.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of macOS that is 10.12.x prior to 10.12.2. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php
  - AppleGraphicsPowerManagement
  - Assets
  - Audio
  - Bluetooth
  - CoreCapture
  - CoreFoundation
  - CoreGraphics
  - CoreMedia External Displays
  - CoreMedia Playback
  - CoreStorage
  - CoreText
  - curl
  - Directory Services
  - Disk Images
  - FontParser
  - Foundation
  - Grapher
  - ICU
  - ImageIO
  - Intel Graphics Driver
  - IOFireWireFamily
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - IOSurface
  - Kernel
  - kext tools
  - libarchive
  - LibreSSL
  - OpenLDAP
  - OpenPAM
  - OpenSSL
  - Power Management
  - Security
  - syslog
  - WiFi
  - xar

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Furthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin does not check those versions.

Versions of cURL and libcurl prior to 7.51.0 are affected by multiple vulnerabilities :

 - A flaw exists in the International Domain Names (IDNA) handling when translating domain names to Punycode for DNS resolving. The issue is triggered as the outdated IDNA 2003 standard is used instead of IDNA 2008 for e.g. for the German 'LATIN SMALL LETTER SHARP S' Unicode character. This may result in incorrect translation for a domain name and in turn network traffic being directed to a different host than intended.
 - A flaw exists in the 'ConnectionExists()' function in 'lib/url.c' that is triggered when checking credentials supplied for reused connections, as the comparison is case-insensitive. This may allow a remote attacker to authenticate without knowing the proper case of the username and password.
 - An integer truncation flaw exists in the 'curl_easy_unescape()' function in 'lib/escape.c' that is triggered when handling overly large URLs. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
 - An integer overflow condition exists in the 'base64_encode()' function in 'lib/base64.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
 - A flaw exists in the 'alloc_addbyter()' function in 'lib/mprintf.c' that is triggered as overly long input is not properly validated when supplied to the 'curl_maprintf()' API method. This may allow a context-dependent attacker to free already freed memory and crash a process linked against the library.
 - A use-after-free error exists in 'lib/cookie.c' that is triggered when handling shared cookies. This may allow a context-dependent attacker to dereference already freed memory and potentially disclose memory contents.
 - A flaw exists in the 'parseurlandfillconn()' function in 'lib/url.c' that is triggered when parsing the authority component of an URL with the hostname part ending in a '#' character. This may allow a context-dependent attacker to establish a connection to a different host than intended.
 - A double-free error exists in the 'read_data()' function in 'lib/security.c' that is triggered when handling Kerberos authentication. This may allow a context-dependent attacker to free already freed memory and have an unspecified impact.
 - A flaw exists in the 'Curl_cookie_init()' function in 'lib/cookie.c' that is triggered when handling cookies. This may allow a context-dependent attacker to inject new cookies for arbitrary domains.
 - An out-of-bounds read flaw exists in the 'parsedate()' function in 'lib/parsedate.c' that is triggered when handling dates. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - An out-of-bounds access flaw exists in 'tool_urlglob.c' within the globbing feature. This may allow a context-dependent attacker to potentially disclose memory contents or execute arbitrary code.

- fix cookie injection for other servers (CVE-2016-8615)

  - compare user/passwd case-sensitively while reusing     connections (CVE-2016-8616)

  - base64: check for integer overflow on large input     (CVE-2016-8617)

  - fix double-free in krb5 code (CVE-2016-8619)

  - fix double-free in curl_maprintf() (CVE-2016-8618)

  - fix glob parser write/read out of bounds (CVE-2016-8620)

  - fix out-of-bounds read in curl_getdate() (CVE-2016-8621)

  - fix URL unescape heap overflow via integer truncation     (CVE-2016-8622)

  - fix use-after-free via shared cookies (CVE-2016-8623)

  - urlparse: accept '#' as end of host name (CVE-2016-8624)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2016-8615 If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the `fgets()` function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server.

CVE-2016-8616 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.

CVE-2016-8617 In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc( insize * 4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if insize is at least 1GB of data. If this happens, an undersized output buffer will be allocated, but the full result will be written, thus causing the memory behind the output buffer to be overwritten. Systems with 64 bit versions of the `size_t` type are not affected by this issue.

CVE-2016-8618 The libcurl API function called `curl_maprintf()` can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. The function is also used internallty in numerous situations. Systems with 64 bit versions of the `size_t` type are not affected by this issue.

CVE-2016-8619 In curl's implementation of the Kerberos authentication mechanism, the function `read_data()` in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc() is not set to 0.

CVE-2016-8621 The `curl_getdate` converts a given date string into a numerical timestamp and it supports a range of different formats and possibilites to express a date and time. The underlying date parsing function is also used internally when parsing for example HTTP cookies (possibly received from remote servers) and it can be used when doing conditional HTTP requests.

CVE-2016-8622 The URL percent-encoding decode function in libcurl is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

CVE-2016-8623 libcurl explicitly allows users to share cookies between multiple easy handles that are concurrently employed by different threads. When cookies to be sent to a server are collected, the matching function collects all cookies to send and the cookie lock is released immediately afterwards. That funcion however only returns a list with

*references* back to the original strings for name, value, path and so on. Therefore, if another thread quickly takes the lock and frees one of the original cookie structs together with its strings, a use-after-free can occur and lead to information disclosure. Another thread can also replace the contents of the cookies from separate HTTP responses or API calls.

CVE-2016-8624 curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

For Debian 7 'Wheezy', these problems have been fixed in version 7.26.0-1+wheezy17.

We recommend that you upgrade your curl packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for curl fixes the following security issues :

  - CVE-2016-8624: invalid URL parsing with '#'     (bsc#1005646)

  - CVE-2016-8623: Use-after-free via shared cookies     (bsc#1005645)

  - CVE-2016-8622: URL unescape heap overflow via integer     truncation (bsc#1005643)

  - CVE-2016-8621: curl_getdate read out of bounds     (bsc#1005642)

  - CVE-2016-8620: glob parser write/read out of bounds     (bsc#1005640)

  - CVE-2016-8619: double-free in krb5 code (bsc#1005638)

  - CVE-2016-8618: double-free in curl_maprintf     (bsc#1005637)

  - CVE-2016-8617: OOB write via unchecked multiplication     (bsc#1005635)

  - CVE-2016-8616: case insensitive password comparison     (bsc#1005634)

  - CVE-2016-8615: cookie injection for other servers     (bsc#1005633)

  - CVE-2016-7167: escape and unescape integer overflows     (bsc#998760)

This update was imported from the SUSE:SLE-12:Update update project.

This build resolves the following issues :

CVE-2016-8615 : Cookie injection for other servers

CVE-2016-8616 : Case insensitive password comparison

CVE-2016-8617 : Out-of-bounds write via unchecked multiplication

CVE-2016-8618 : Double-free in curl_maprintf

CVE-2016-8619 : Double-free in krb5 code

CVE-2016-8620 : Glob parser write/read out of bounds

CVE-2016-8621 : curl_getdate out-of-bounds read

CVE-2016-8622 : URL unescape heap overflow via integer truncation

CVE-2016-8623 : Use-after-free via shared cookies

CVE-2016-8624 : Invalid URL parsing with '#'

Several vulnerabilities were discovered in cURL, an URL transfer library :

  - CVE-2016-8615     It was discovered that a malicious HTTP server could     inject new cookies for arbitrary domains into a cookie     jar.

  - CVE-2016-8616     It was discovered that when re-using a connection, curl     was doing case insensitive comparisons of user name and     password with the existing connections.

  - CVE-2016-8617     It was discovered that on systems with 32-bit addresses     in userspace (e.g. x86, ARM, x32), the output buffer     size value calculated in the base64 encode function     would wrap around if input size was at least 1GB of     data, causing an undersized output buffer to be     allocated.

  - CVE-2016-8618     It was discovered that the curl_maprintf() function     could be tricked into doing a double-free due to an     unsafe size_t multiplication on systems using 32 bit     size_t variables.

  - CVE-2016-8619     It was discovered that the Kerberos implementation could     be tricked into doing a double-free when reading one of     the length fields from a socket.

  - CVE-2016-8620     It was discovered that the curl tool's 'globbing'     feature could write to invalid memory areas when parsing     invalid ranges.

  - CVE-2016-8621     It was discovered that the function curl_getdate could     read out of bounds when parsing invalid date strings.

  - CVE-2016-8622     It was discovered that the URL percent-encoding decode     function would return a signed 32bit integer variable as     length, even though it allocated a destination buffer     larger than 2GB, which would lead to a out-of-bounds     write.

  - CVE-2016-8623     It was discovered that libcurl could access an     already-freed memory area due to concurrent access to     shared cookies. This could lead to a denial of service     or disclosure of sensitive information.

  - CVE-2016-8624     It was discovered that curl wouldn't parse the authority     component of a URL correctly when the host name part     ends with a '#' character, and could be tricked into     connecting to a different host.

It was discovered that curl incorrectly reused client certificates when built with NSS. A remote attacker could possibly use this issue to hijack the authentication of a TLS connection. (CVE-2016-7141)

Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain strings. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7167)

It was discovered that curl incorrectly handled storing cookies. A remote attacker could possibly use this issue to inject cookies for arbitrary domains in the cookie jar. (CVE-2016-8615)

It was discovered that curl incorrect handled case when comparing user names and passwords. A remote attacker with knowledge of a case-insensitive version of the correct password could possibly use this issue to cause a connection to be reused. (CVE-2016-8616)

It was discovered that curl incorrect handled memory when encoding to base64. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8617)

It was discovered that curl incorrect handled memory when preparing formatted output. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8618)

It was discovered that curl incorrect handled memory when performing Kerberos authentication. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8619)

Luat Nguyen discovered that curl incorrectly handled parsing globs. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8620)

Luat Nguyen discovered that curl incorrectly handled converting dates. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service. (CVE-2016-8621)

It was discovered that curl incorrectly handled URL percent-encoding decoding. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8622)

It was discovered that curl incorrectly handled shared cookies. A remote server could possibly obtain incorrect cookies or other sensitive information. (CVE-2016-8623)

Fernando Munoz discovered that curl incorrect parsed certain URLs. A remote attacker could possibly use this issue to trick curl into connecting to a different host. (CVE-2016-8624).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for curl fixes the following security issues :

  - CVE-2016-8624: invalid URL parsing with '#'     (bsc#1005646)

  - CVE-2016-8623: Use-after-free via shared cookies     (bsc#1005645)

  - CVE-2016-8621: curl_getdate read out of bounds     (bsc#1005642)

  - CVE-2016-8619: double-free in krb5 code (bsc#1005638)

  - CVE-2016-8618: double-free in curl_maprintf     (bsc#1005637)

  - CVE-2016-8617: OOB write via unchecked multiplication     (bsc#1005635)

  - CVE-2016-8616: case insensitive password comparison     (bsc#1005634)

  - CVE-2016-8615: cookie injection for other servers     (bsc#1005633)

  - CVE-2016-7167: escape and unescape integer overflows     (bsc#998760)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

This update for curl fixes the following security issues :

  - CVE-2016-8624: invalid URL parsing with '#'     (bsc#1005646)

  - CVE-2016-8623: Use-after-free via shared cookies     (bsc#1005645)

  - CVE-2016-8622: URL unescape heap overflow via integer     truncation (bsc#1005643)

  - CVE-2016-8621: curl_getdate read out of bounds     (bsc#1005642)

  - CVE-2016-8620: glob parser write/read out of bounds     (bsc#1005640)

  - CVE-2016-8619: double-free in krb5 code (bsc#1005638)

  - CVE-2016-8618: double-free in curl_maprintf     (bsc#1005637)

  - CVE-2016-8617: OOB write via unchecked multiplication     (bsc#1005635)

  - CVE-2016-8616: case insensitive password comparison     (bsc#1005634)

  - CVE-2016-8615: cookie injection for other servers     (bsc#1005633)

  - CVE-2016-7167: escape and unescape integer overflows     (bsc#998760)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The cURL project reports

- cookie injection for other servers

- case insensitive password comparison

- OOB write via unchecked multiplication

- double-free in curl_maprintf

- double-free in krb5 code

- glob parser write/read out of bounds

- curl_getdate read out of bounds

- URL unescape heap overflow via integer truncation

- Use-after-free via shared cookies

- invalid URL parsing with '#'

- IDNA 2003 makes curl use wrong host

ID	Name	Product	Family	Severity
125380	Oracle Linux 6 / 7 : curl (ELSA-2019-4652)	Nessus	Oracle Linux Local Security Checks	high
125003	EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1550)	Nessus	Huawei Local Security Checks	high
105441	F5 Networks BIG-IP : libcurl vulnerability (K52828640)	Nessus	F5 Networks Local Security Checks	medium
99930	Oracle Secure Global Desktop Multiple Vulnerabilities (April 2017 CPU) (SWEET32)	Nessus	Misc.	critical
99881	EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1036)	Nessus	Huawei Local Security Checks	high
99880	EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1035)	Nessus	Huawei Local Security Checks	high
96644	GLSA-201701-47 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
95917	macOS 10.12.x < 10.12.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
9826	cURL/libcurl 7.x < 7.51.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
95009	Fedora 25 : curl (2016-89769648a0)	Nessus	Fedora Local Security Checks	high
94941	Debian DLA-711-1 : curl security update	Nessus	Debian Local Security Checks	high
94752	openSUSE Security Update : curl (openSUSE-2016-1280)	Nessus	SuSE Local Security Checks	high
94686	Amazon Linux AMI : curl (ALAS-2016-766)	Nessus	Amazon Linux Local Security Checks	high
94592	Fedora 24 : curl (2016-e8e8cdb4ed)	Nessus	Fedora Local Security Checks	high
94588	Debian DSA-3705-1 : curl - security update	Nessus	Debian Local Security Checks	high
94574	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : curl vulnerabilities (USN-3123-1)	Nessus	Ubuntu Local Security Checks	high
94572	SUSE SLES11 Security Update : curl (SUSE-SU-2016:2714-1)	Nessus	SuSE Local Security Checks	high
94516	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : curl (SSA:2016-308-01)	Nessus	Slackware Local Security Checks	high
94506	SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2016:2699-1)	Nessus	SuSE Local Security Checks	high
94493	FreeBSD : cURL -- multiple vulnerabilities (765feb7d-a0d1-11e6-a881-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	high

CVE-2016-8616

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins