CVE-2017-1000257

MEDIUM

Description

An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

References

http://www.debian.org/security/2017/dsa-4007

http://www.securityfocus.com/bid/101519

http://www.securitytracker.com/id/1039644

https://access.redhat.com/errata/RHSA-2017:3263

https://access.redhat.com/errata/RHSA-2018:2486

https://access.redhat.com/errata/RHSA-2018:3558

https://curl.haxx.se/docs/adv_20171023.html

https://security.gentoo.org/glsa/201712-04

Details

Source: MITRE

Published: 2017-10-31

Updated: 2018-11-13

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Impact Score: 5.2

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* versions from 7.20.0 to 7.56.0 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
127142NewStart CGSL MAIN 5.04 : curl Vulnerability (NS-SA-2019-0002)NessusNewStart CGSL Local Security Checks
medium
125002EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)NessusHuawei Local Security Checks
high
124993EulerOS Virtualization for ARM 64 3.0.1.0 : curl (EulerOS-SA-2019-1540)NessusHuawei Local Security Checks
critical
122260Amazon Linux 2 : curl (ALAS-2019-1162)NessusAmazon Linux Local Security Checks
high
121768Photon OS 2.0: Curl PHSA-2017-0050NessusPhotonOS Local Security Checks
high
117546EulerOS Virtualization 2.5.0 : curl (EulerOS-SA-2018-1237)NessusHuawei Local Security Checks
medium
111899Photon OS 2.0: Curl / Libtiff / Linux PHSA-2017-0050 (deprecated)NessusPhotonOS Local Security Checks
high
111897Photon OS 1.0: Curl / Glibc PHSA-2017-0048 (deprecated)NessusPhotonOS Local Security Checks
high
105957Fedora 27 : curl (2017-b25c8a7087)NessusFedora Local Security Checks
medium
105264GLSA-201712-04 : cURL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
104931EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1313)NessusHuawei Local Security Checks
medium
104930EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1312)NessusHuawei Local Security Checks
medium
104816Virtuozzo 7 : curl / libcurl / libcurl-devel (VZLSA-2017-3263)NessusVirtuozzo Local Security Checks
medium
104803Scientific Linux Security Update : curl on SL7.x x86_64 (20171127)NessusScientific Linux Local Security Checks
medium
104801RHEL 7 : curl (RHSA-2017:3263)NessusRed Hat Local Security Checks
medium
104799Oracle Linux 7 : curl (ELSA-2017-3263)NessusOracle Linux Local Security Checks
medium
104790CentOS 7 : curl (CESA-2017:3263)NessusCentOS Local Security Checks
medium
104704Amazon Linux AMI : curl (ALAS-2017-922)NessusAmazon Linux Local Security Checks
medium
104316Fedora 26 : curl (2017-ebf32659bf)NessusFedora Local Security Checks
medium
104236openSUSE Security Update : curl (openSUSE-2017-1200)NessusSuSE Local Security Checks
medium
104222Debian DSA-4007-1 : curl - security updateNessusDebian Local Security Checks
medium
104133Debian DLA-1143-1 : curl security updateNessusDebian Local Security Checks
medium
104118Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : curl vulnerability (USN-3457-1)NessusUbuntu Local Security Checks
medium
104117SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2017:2831-1)NessusSuSE Local Security Checks
medium
104113FreeBSD : cURL -- out of bounds read (143ec3d6-b7cf-11e7-ac58-b499baebfeaf)NessusFreeBSD Local Security Checks
medium
104105Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2017-297-01)NessusSlackware Local Security Checks
medium