Detections
Analytics

Alpine: multiple curl packages, libcurl: security update to 7.54.1-r0 (deprecated)

medium Tenable Self-Hosted Container Security Plugin ID 400850

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the
 file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the
 application's provide callback), which could lead to other private data from the heap to get inadvertently
 displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to
 not contain any zero byte, it would continue and display the data following that buffer in memory.
 (CVE-2017-1000099)

 - When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer
 than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size
 is still wrongly updated to use the untruncated length. This too large value is then used in the sendto()
 call, making curl attempt to send more data than what is actually put into the buffer. The endto()
 function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect
 a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols
 it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit
 curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.
 (CVE-2017-1000100)

 - curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over
 those numbers to do a sequence of transfers. In the globbing function that parses the numerical range,
 there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted,
 or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to
 wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be
 `http://ur%20[0-60000000000000000000`. (CVE-2017-1000101)

See Also

https://git.alpinelinux.org/aports/commit/?id=13ee88b017ecd8c894a60178235598a526d5e4a6

https://git.alpinelinux.org/aports/commit/?id=c41812134d11c0ab6c6f0258de05de85638d996b

Plugin Details

Severity: Medium

ID: 400850

Version: Revision 1.22

Type: Local

Published: 8/16/2023

Updated: 1/17/2024

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2017-1000101

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/11/2017

Vulnerability Publication Date: 8/9/2017

Reference Information

CVE: CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101

BID: 100281, 100286, 100249