FreeBSD : cURL -- multiple vulnerabilities (6294f75f-03f2-11e5-aab1-d050996490d0)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

cURL reports :

libcurl keeps a pool of its last few connections around after use to
facilitate easy, convenient, and completely transparent connection
re-use for applications.

When doing HTTP requests NTLM authenticated, the entire connection
becomes authenticated and not just the specific HTTP request which is
otherwise how HTTP works. This makes NTLM special and a subject for
special treatment in the code. With NTLM, once the connection is
authenticated, no further authentication is necessary until the
connection gets closed.

When doing HTTP requests Negotiate authenticated, the entire
connection may become authenticated and not just the specific HTTP
request which is otherwise how HTTP works, as Negotiate can basically
use NTLM under the hood. curl was not adhering to this fact but would
assume that such requests would also be authenticated per request.

libcurl supports HTTP 'cookies' as documented in RFC 6265. Together
with each individual cookie there are several different properties,
but for this vulnerability we focus on the associated 'path' element.
It tells information about for which path on a given host the cookies
is valid.

The internal libcurl function called sanitize_cookie_path() that
cleans up the path element as given to it from a remote site or when
read from a file, did not properly validate the input. If given a path
that consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

There is a private function in libcurl called fix_hostname() that
removes a trailing dot from the host name if there is one. The
function is called after the host name has been extracted from the URL
libcurl has been told to act on.

If a URL is given with a zero-length host name, like in 'http://:80'
or just ':80', fix_hostname() will index the host name pointer with a
-1 offset (as it blindly assumes a non-zero length) and both read and
assign that address.

See also :

http://curl.haxx.se/docs/adv_20150422A.html
http://curl.haxx.se/docs/adv_20150422B.html
http://curl.haxx.se/docs/adv_20150422C.html
http://curl.haxx.se/docs/adv_20150422D.html
http://www.nessus.org/u?56033441

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 83842 ()

Bugtraq ID:

CVE ID: CVE-2014-3143
CVE-2014-3144
CVE-2014-3145
CVE-2014-3148

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now