EulerOS Virtualization 2.5.0 : curl (EulerOS-SA-2018-1330)

High Nessus Plugin ID 118418

Synopsis

The remote EulerOS Virtualization host is missing multiple security
updates.

Description

According to the versions of the curl package installed, the EulerOS
Virtualization installation on the remote host is affected by the
following vulnerabilities :

- It was found that libcurl did not safely parse FTP URLs
when using the CURLOPT_FTP_FILEMETHOD method. An
attacker, able to provide a specially crafted FTP URL
to an application using libcurl, could write a NULL
byte at an arbitrary location, resulting in a crash, or
an unspecified behavior.(CVE-2018-1000120)

- A NULL pointer dereference flaw was found in the way
libcurl checks values returned by the openldap
ldap_get_attribute_ber() function. A malicious LDAP
server could use this flaw to crash a libcurl client
application via a specially crafted LDAP
reply.(CVE-2018-1000121)

- A buffer over-read exists in curl 7.20.0 to and
including curl 7.58.0 in the RTSP+RTP handling code
that allows an attacker to cause a denial of service or
information leakage(CVE-2018-1000122)

- curl version curl 7.20.0 to and including curl 7.59.0
contains a Buffer Over-read vulnerability in denial of
service that can result in curl can be tricked into
reading data beyond the end of a heap based buffer used
to store downloaded rtsp content.(CVE-2018-1000301)

- curl version curl 7.20.0 to and including curl 7.59.0
contains a Buffer Over-read vulnerability in denial of
service that can result in curl can be tricked into
reading data beyond the end of a heap based buffer used
to store downloaded rtsp content.(CVE-2016-9586)

- libcurl may read outside of a heap allocated buffer
when doing FTP. When libcurl connects to an FTP server
and successfully logs in (anonymous or not), it asks
the server for the current directory with the `PWD`
command. The server then responds with a 257 response
containing the path, inside double quotes. The returned
path name is then kept by libcurl for subsequent uses.
Due to a flaw in the string parser for this directory
name, a directory name passed like this but without a
closing double quote would lead to libcurl not adding a
trailing NUL byte to the buffer holding the name. When
libcurl would then later access the string, it could
read beyond the allocated heap buffer and crash or
wrongly access data beyond the buffer, thinking it was
part of the path. A malicious server could abuse this
fact and effectively prevent libcurl-based clients to
work with it - the PWD command is always issued on new
FTP connections and the mistake has a high chance of
causing a segfault. The simple fact that this has issue
remained undiscovered for this long could suggest that
malformed PWD responses are rare in benign servers. We
are not aware of any exploit of this flaw. This bug was
introduced in commit
[415d2e7cb7](https://github.com/curl/curl/commit/415d2e
7cb7), March 2005. In libcurl version 7.56.0, the
parser always zero terminates the string but also
rejects it if not terminated properly with a final
double quote.(CVE-2017-1000254)

- The FTP wildcard function in curl and libcurl before
7.57.0 allows remote attackers to cause a denial of
service (out-of-bounds read and application crash) or
possibly have unspecified other impact via a string
that ends with an '[' character.The FTP wildcard
function in curl and libcurl before 7.57.0 allows
remote attackers to cause a denial of service
(out-of-bounds read and application crash) or possibly
have unspecified other impact via a string that ends
with an '[' character.(CVE-2017-8817)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution

Update the affected curl packages.

See Also

http://www.nessus.org/u?d4a8eaec

Plugin Details

Severity: High

ID: 118418

File Name: EulerOS_SA-2018-1330.nasl

Version: 1.2

Type: local

Published: 2018/10/26

Modified: 2018/11/13

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:curl, cpe:/o:huawei:euleros:uvp:2.5.0

Patch Publication Date: 2018/09/26

Reference Information

CVE: CVE-2016-9586, CVE-2017-1000254, CVE-2017-8817, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000301