The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5894-1 advisory.

  - curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as     `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a     flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized     data from a stack based buffer to the server, resulting in potentially revealing sensitive internal     information to the server using a clear-text network protocol. (CVE-2021-22898)

  - curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used     option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for     sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer     to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-     text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing     the string provided by the application. (CVE-2021-22925)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Ubuntu 16.04 ESM : curl vulnerabilities (USN-5894-1)

medium Nessus Plugin ID 171954

Version 1.2