F5 Networks BIG-IP : libcurl vulnerability (K52828640)
Medium Nessus Plugin ID 105441
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionA flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. (CVE-2016-8616)
An attacker can cause an unused connection with credentials to be reused if the attacker knows the case-insensitive version of the correct password. Local access to an affected F5 system is necessary to trigger the exploit from the affected F5 system.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K52828640.