FreeBSD : cURL -- Multiple Vulnerability (2438d4af-1538-11e5-a106-3c970e169bc2)

medium Nessus Plugin ID 84254

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

cURL reports :

libcurl can wrongly send HTTP credentials when re-using connections.

libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPT_USERPWD for example. Name and password. Just like all other libcurl options the credentials are sticky and are kept associated with the 'handle' until something is made to change the situation.

Further, libcurl offers a curl_easy_reset() function that resets a handle back to its pristine state in terms of all settable options. A reset is of course also supposed to clear the credentials. A reset is typically used to clear up the handle and prepare it for a new, possibly unrelated, transfer.

Within such a handle, libcurl can also store a set of previous connections in case a second transfer is requested to a host name for which an existing connection is already kept alive.

With this flaw present, using the handle even after a reset would make libcurl accidentally use those credentials in a subsequent request if done to the same host name and connection as was previously accessed.

An example case would be first requesting a password protected resource from one section of a website, and then do a second request of a public resource from a completely different part of the site without authentication. This flaw would then inadvertently leak the credentials in the second request.

libcurl can get tricked by a malicious SMB server to send off data it did not intend to.

In libcurl's state machine function handling the SMB protocol (smb_request_state()), two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handcrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory.

Solution

Update the affected package.

See Also

https://curl.haxx.se/docs/CVE-2015-3236.html

https://curl.haxx.se/docs/CVE-2015-3237.html

http://www.nessus.org/u?04552ffc

Plugin Details

Severity: Medium

ID: 84254

File Name: freebsd_pkg_2438d4af153811e5a1063c970e169bc2.nasl

Version: 2.9

Type: local

Published: 6/18/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:curl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 6/17/2015

Vulnerability Publication Date: 6/17/2015

Reference Information

CVE: CVE-2015-3236, CVE-2015-3237