FreeBSD : cURL -- multiple vulnerabilities (04fe6c8d-2a34-4009-a81e-e7a7e759b5d2)

High Nessus Plugin ID 109877

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

cURL security problems :

CVE-2018-1000300: FTP shutdown response buffer overflow

curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.

When doing FTP transfers, curl keeps a spare 'closure handle' around internally that will be used when an FTP connection gets shut down since the original curl easy handle is then already removed.

FTP server response data that gets cached from the original transfer might then be larger than the default buffer size (16 KB) allocated in the 'closure handle', which can lead to a buffer overwrite. The contents and size of that overwrite is controllable by the server.

This situation was detected by an assert() in the code, but that was of course only preventing bad stuff in debug builds. This bug is very unlikely to trigger with non-malicious servers.

We are not aware of any exploit of this flaw.

CVE-2018-1000301: RTSP bad headers buffer over-read

curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded content.

When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately and to find the end of the headers that signal the start of the 'body' part.

The function that splits up the response into headers is called Curl_http_readwrite_headers() and in situations where it can't find a single header in the buffer, it might end up leaving a pointer pointing into the buffer instead of to the start of the buffer which then later on may lead to an out of buffer read when code assumes that pointer points to a full buffer size worth of memory to use.

This could potentially lead to information leakage but most likely a crash/denial of service for applications if a server triggers this flaw.

We are not aware of any exploit of this flaw.

Solution

Update the affected package.

See Also

https://curl.haxx.se/docs/security.html

https://curl.haxx.se/docs/adv_2018-82c2.html

https://curl.haxx.se/docs/adv_2018-b138.html

http://www.nessus.org/u?17f158f2

Plugin Details

Severity: High

ID: 109877

File Name: freebsd_pkg_04fe6c8d2a344009a81ee7a7e759b5d2.nasl

Version: 1.4

Type: local

Published: 2018/05/17

Modified: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:curl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2018/05/16

Vulnerability Publication Date: 2018/05/16

Reference Information

CVE: CVE-2018-1000300, CVE-2018-1000301