An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4384 advisory.

  - openssl: Integer overflow in RSAZ modular exponentiation on x86_64 (CVE-2019-1551)

  - curl: Integer overflows in curl_url_set() function (CVE-2019-5435)

  - httpd: mod_proxy_uwsgi buffer overflow (CVE-2020-11984)

  - httpd: mod_http2 concurrent pool usage (CVE-2020-11993)

  - httpd: allow connecting via SSL to a backend worker when the backend keystore file's ID is 'unknown'     (CVE-2020-25680)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202003-29 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl. (CVE-2019-5436)

An integer overflow in curl's URL API results in a buffer overflow in libcurl. (CVE-2019-5435)

An integer overflow in curl's URL API results in a buffer overflow in libcurl. (CVE-2019-5435)

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl. (CVE-2019-5436)

- fix TFTP receive buffer overflow (CVE-2019-5436)

  - fix integer overflows in curl_url_set() (CVE-2019-5435)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

curl security problems :

CVE-2019-5435: Integer overflows in curl_url_set()

libcurl contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow.

The flaws only exist on 32 bit architectures and require excessive string input lengths.

CVE-2019-5436: TFTP receive buffer overflow

libcurl contains a heap buffer overflow in the function (tftp_receive_packet()) that recevives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a 'blksize' of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes.

Users chosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger.

It is rare for users to use TFTP across the Internet. It is most commonly used within local networks.

Wenchao Li discovered that curl incorrectly handled memory in the curl_url_set() function. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.04.
(CVE-2019-5435)

It was discovered that curl incorrectly handled memory when receiving data from a TFTP server. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-5436).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New curl packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

ID	Name	Product	Family	Severity
142025	RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP5 (RHSA-2020:4384)	Nessus	Red Hat Local Security Checks	critical
134606	GLSA-202003-29 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
127061	Amazon Linux AMI : curl (ALAS-2019-1233)	Nessus	Amazon Linux Local Security Checks	high
126957	Amazon Linux 2 : curl (ALAS-2019-1233)	Nessus	Amazon Linux Local Security Checks	high
125786	Fedora 29 : curl (2019-697de0501f)	Nessus	Fedora Local Security Checks	high
125441	FreeBSD : curl -- multiple vulnerabilities (dd343a2b-7ee7-11e9-a290-8ddc52868fa9)	Nessus	FreeBSD Local Security Checks	high
125424	Fedora 30 : curl (2019-3f5b6f0f97)	Nessus	Fedora Local Security Checks	high
125355	Ubuntu 16.04 LTS / 18.04 LTS : curl vulnerabilities (USN-3993-1)	Nessus	Ubuntu Local Security Checks	high
125348	Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2019-142-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2019-5435

low

Tenable Plugins

critical

critical

high

high

high

high

high

high

high