http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

RHSA-2018:3558

https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13

GLSA-201709-14

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A heap buffer overflow in the TFTP receiving code     allows for DoS or arbitrary code execution in libcurl     versions 7.19.4 through 7.64.1.(CVE-2019-5436)

  - The ourWriteOut function in tool_writeout.c in curl     7.53.1 might allow physically proximate attackers to     obtain sensitive information from process memory in     opportunistic circumstances by reading a workstation     screen during use of a --write-out argument ending in a     '%' character, which leads to a heap-based buffer     over-read.(CVE-2017-7407)

  - Curl versions 7.14.1 through 7.61.1 are vulnerable to a     heap-based buffer over-read in the tool_msgs.c:voutf()     function that may result in information exposure and     denial of service.(CVE-2018-16842)

  - The ConnectionExists function in lib/url.c in libcurl     before 7.47.0 does not properly re-use     NTLM-authenticated proxy connections, which might allow     remote attackers to authenticate as other users via a     request, a similar issue to     CVE-2014-0015.(CVE-2016-0755)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - The ourWriteOut function in tool_writeout.c in curl     7.53.1 might allow physically proximate attackers to     obtain sensitive information from process memory in     opportunistic circumstances by reading a workstation     screen during use of a --write-out argument ending in a     '%' character, which leads to a heap-based buffer     over-read.(CVE-2017-7407)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the curl packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - The ourWriteOut function in tool_writeout.c in curl     7.53.1 might allow physically proximate attackers to     obtain sensitive information from process memory in     opportunistic circumstances by reading a workstation     screen during use of a --write-out argument ending in a     '%' character, which leads to a heap-based buffer     over-read.(CVE-2017-7407)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The ourWriteOut function in tool_writeout.c in curl     7.53.1 might allow physically proximate attackers to     obtain sensitive information from process memory in     opportunistic circumstances by reading a workstation     screen during use of a --write-out argument ending in a     '%' character, which leads to a heap-based buffer     over-read.(CVE-2017-7407)

  - The ConnectionExists function in lib/url.c in libcurl     before 7.47.0 does not properly re-use     NTLM-authenticated proxy connections, which might allow     remote attackers to authenticate as other users via a     request, a similar issue to     CVE-2014-0015.(CVE-2016-0755)

  - Curl versions 7.14.1 through 7.61.1 are vulnerable to a     heap-based buffer over-read in the tool_msgs.c:voutf()     function that may result in information exposure and     denial of service.(CVE-2018-16842)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - cURL and libcurl 7.18.0 through 7.32.0, when built with     OpenSSL, disables the certificate CN and SAN name field     verification (CURLOPT_SSL_VERIFYHOST) when the digital     signature verification (CURLOPT_SSL_VERIFYPEER) is     disabled, which allows man-in-the-middle attackers to     spoof SSL servers via an arbitrary valid     certificate.i1/4^CVE-2013-4545i1/4%0

  - The GnuTLS backend in libcurl 7.21.4 through 7.33.0,     when disabling digital signature verification     (CURLOPT_SSL_VERIFYPEER), also disables the     CURLOPT_SSL_VERIFYHOST check for CN or SAN host name     fields, which makes it easier for remote attackers to     spoof servers and conduct man-in-the-middle (MITM)     attacks.i1/4^CVE-2013-6422i1/4%0

  - cURL and libcurl 7.1 before 7.36.0, when using the     OpenSSL, axtls, qsossl or gskit libraries for TLS,     recognize a wildcard IP address in the subject's Common     Name (CN) field of an X.509 certificate, which might     allow man-in-the-middle attackers to spoof arbitrary     SSL servers via a crafted certificate issued by a     legitimate Certification Authority.i1/4^CVE-2014-0139i1/4%0

  - curl and libcurl 7.27.0 through 7.35.0, when running on     Windows and using the SChannel/Winssl TLS backend, does     not verify that the server hostname matches a domain     name in the subject's Common Name (CN) or     subjectAltName field of the X.509 certificate when     accessing a URL that uses a numerical IP address, which     allows man-in-the-middle attackers to spoof servers via     an arbitrary valid certificate.i1/4^CVE-2014-2522i1/4%0

  - The ourWriteOut function in tool_writeout.c in curl     7.53.1 might allow physically proximate attackers to     obtain sensitive information from process memory in     opportunistic circumstances by reading a workstation     screen during use of a --write-out argument ending in a     '%' character, which leads to a heap-based buffer     over-read.i1/4^CVE-2017-7407i1/4%0

  - It was found that curl and libcurl might send their     Authentication header to a third party HTTP server upon     receiving an HTTP REDIRECT reply. This could leak     authentication token to external     entities.i1/4^CVE-2018-1000007i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.

Daniel Stenberg discovered that curl incorrectly handled large floating point output. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9586)

Even Rouault discovered that curl incorrectly handled large file names when doing TFTP transfers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000100)

Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled numerical range globbing. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000101)

Max Dymond discovered that curl incorrectly handled FTP PWD responses.
A remote attacker could use this issue to cause curl to crash, resulting in a denial of service. (CVE-2017-1000254)

Brian Carpenter discovered that curl incorrectly handled the
--write-out command line option. A local attacker could possibly use this issue to obtain sensitive memory contents. (CVE-2017-7407).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201709-14 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers referenced below for details.
  Impact :

    Remote attackers could cause a Denial of Service condition, obtain       sensitive information, or bypass intended restrictions for TLS sessions.
  Workaround :

    There is no known workaround at this time.

This update for curl fixes the following issues :

  - CVE-2017-1000100: TFP sends more than buffer size and it     could lead to a denial of service (bsc#1051644)

  - CVE-2017-7407: ourWriteOut function problem could lead     to a heap buffer over-read (bsc#1032309)

  - CVE-2016-9586: libcurl printf issue could lead to buffer     overflow (bsc#1015332)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- fix out of bounds read in curl --write-out     (CVE-2017-7407)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a certain character, which leads to a heap-based buffer over-read.(CVE-2017-7407 )

This update for curl fixes the following issues :

Security issue fixed :

  - CVE-2016-9586: libcurl printf floating point buffer     overflow (bsc#1015332)

  - CVE-2017-7407: The ourWriteOut function in     tool_writeout.c in curl might have allowed physically     proximate attackers to obtain sensitive information from     process memory in opportunistic circumstances by reading     a workstation screen during use of a --write-out     argument ending in a '%' character, which lead to a     heap-based buffer over-read (bsc#1032309).

With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712).

This update was imported from the SUSE:SLE-12:Update update project.

This update for curl fixes the following issues: These security issues were fixed :

  - CVE-2016-9586: libcurl printf floating point buffer     overflow (bsc#1015332)

  - CVE-2017-7407: The ourWriteOut function in     tool_writeout.c in curl might have allowed physically     proximate attackers to obtain sensitive information from     process memory in opportunistic circumstances by reading     a workstation screen during use of a --write-out     argument ending in a '%' character, which lead to a     heap-based buffer over-read (bsc#1032309).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for curl fixes the following issues: Security issue fixed :

  - CVE-2016-9586: libcurl printf floating point buffer     overflow (bsc#1015332)

  - CVE-2017-7407: The ourWriteOut function in     tool_writeout.c in curl might have allowed physically     proximate attackers to obtain sensitive information from     process memory in opportunistic circumstances by reading     a workstation screen during use of a --write-out     argument ending in a '%' character, which lead to a     heap-based buffer over-read (bsc#1032309). With this     release new default ciphers are active (SUSE_DEFAULT,     bsc#1027712).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The cURL project reports :

There were two bugs in curl's parser for the command line option
--write-out (or -w for short) that would skip the end of string zero byte if the string ended in a % (percent) or \ (backslash), and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the target file etc..

This flaw only exists in the command line tool.

We are not aware of any exploit of this flaw.

It was discovered that there was a buffer read overrun vulnerability in curl, a tool for downloading files from the internet, etc.

If a '%' ended the --write-out parameter, the string's trailing NUL would be skipped and memory past the end of the buffer could be accessed and potentially displayed as part of the output.

For Debian 7 'Wheezy', this issue has been fixed in curl version 7.26.0-1+wheezy18+deb7u1.

We recommend that you upgrade your curl packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
129247	EulerOS 2.0 SP3 : curl (EulerOS-SA-2019-2054)	Nessus	Huawei Local Security Checks	medium
126878	EulerOS 2.0 SP2 : curl (EulerOS-SA-2019-1751)	Nessus	Huawei Local Security Checks	low
126539	EulerOS Virtualization for ARM 64 3.0.2.0 : curl (EulerOS-SA-2019-1697)	Nessus	Huawei Local Security Checks	low
126292	EulerOS 2.0 SP5 : curl (EulerOS-SA-2019-1665)	Nessus	Huawei Local Security Checks	medium
123858	EulerOS Virtualization 2.5.3 : curl (EulerOS-SA-2019-1172)	Nessus	Huawei Local Security Checks	medium
106504	pfSense < 2.3.4 Multiple Vulnerabilities (SA-17_04)	Nessus	Firewalls	high
103773	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : curl vulnerabilities (USN-3441-1)	Nessus	Ubuntu Local Security Checks	medium
103282	GLSA-201709-14 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
102910	SUSE SLES11 Security Update : curl (SUSE-SU-2017:2312-1)	Nessus	SuSE Local Security Checks	medium
101737	Fedora 26 : curl (2017-e396614cd0)	Nessus	Fedora Local Security Checks	low
101003	Amazon Linux AMI : curl (ALAS-2017-850)	Nessus	Amazon Linux Local Security Checks	low
99702	openSUSE Security Update : curl (openSUSE-2017-513)	Nessus	SuSE Local Security Checks	medium
99465	SUSE SLES11 Security Update : curl (SUSE-SU-2017:1043-1)	Nessus	SuSE Local Security Checks	medium
99464	SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2017:1042-1)	Nessus	SuSE Local Security Checks	medium
99258	Fedora 25 : curl (2017-b38b98727e)	Nessus	Fedora Local Security Checks	low
99206	FreeBSD : cURL -- potential memory disclosure (04f29189-1a05-11e7-bc6e-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	low
99188	Debian DLA-883-1 : curl security update	Nessus	Debian Local Security Checks	low

CVE-2017-7407

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins