F5 Networks BIG-IP : libcurl vulnerability (K10196624)

High Nessus Plugin ID 105436

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.
(CVE-2016-8618)

Impact

A custom monitor or script that calls the curl command may allow unauthorized disclosure of information,unauthorized modification, and disruption of service. The big3d process, which includes the libcurl library, may allow unauthorized disclosure of information,unauthorized modification, and disruption of service.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K10196624.

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip, cpe:/h:f5:big-ip_protocol_security_manager

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/04/21

Vulnerability Publication Date: 2018/07/31

Reference Information

CVE: CVE-2016-8618

F5 Networks BIG-IP : libcurl vulnerability (K10196624)

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerability Information

Reference Information