Detections
Analytics

Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2023-083)

critical Nessus Plugin ID 173171

Language:

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-083 advisory.

 2024-02-15: CVE-2022-27781 was added to this advisory.

 A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections without properly ensuring that the connection was authenticated with the same credentials set for this transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor.
 (CVE-2022-22576)

 A vulnerability was found in curl. This security flaw allows leaking credentials to other servers when it follows redirects from auth-protected HTTP(S) URLs to other protocols and port numbers. (CVE-2022-27774)

 A vulnerability was found in curl. This security flaw occurs due to errors in the logic where the config matching function did not take the IPv6 address zone id into account. This issue can lead to curl reusing the wrong connection when one transfer uses a zone id, and the subsequent transfer uses another.
 (CVE-2022-27775)

 A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data. (CVE-2022-27776)

 A vulnerability was found in curl. The issue occurs because curl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if the hostname is provided with a trailing dot. This flaw allows arbitrary sites to set cookies that get sent to a different and unrelated site or domain by a malicious actor.
 (CVE-2022-27779)

 A vulnerability was found in curl. This issue occurs because the curl URL parser wrongly accepts percent- encoded URL separators like / when decoding the hostname part of a URL, making it a different URL using the wrong hostname when it is later retrieved. This flaw allows a malicious actor to make circumventing filters. (CVE-2022-27780)

 libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
 (CVE-2022-27781)

 A vulnerability was found in curl. This issue occurs because curl can reuse a previously created connection even when a TLS or SSH-related option is changed that should have prohibited reuse. This flaw leads to an authentication bypass, either by mistake or by a malicious actor. (CVE-2022-27782)

 A vulnerability was found in curl. This issue occurs because when using its HTTP Strict Transport Security(HSTS) support, it can instruct curl to use HTTPS directly instead of using an insecure clear text HTTP step even when HTTP is provided in the URL. This flaw leads to a clear text transmission of sensitive information. (CVE-2022-30115)

 A vulnerability was found in curl. This issue occurs because a malicious server can serve excessive amounts of `Set-Cookie:` headers in an HTTP response to curl, which stores all of them. This flaw leads to a denial of service, either by mistake or by a malicious actor. (CVE-2022-32205)

 A vulnerability was found in curl. This issue occurs because the number of acceptable links in the decompression chain was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. This flaw leads to a denial of service, either by mistake or by a malicious actor.
 (CVE-2022-32206)

 A vulnerability was found in curl. This issue occurs because when curl saves cookies, alt-svc, and HSTS data to local files, it makes the operation atomic by finalizing the process with a rename from a temporary name to the final target file name. This flaw leads to unpreserved file permissions, either by mistake or by a malicious actor. (CVE-2022-32207)

 A vulnerability was found in curl. This issue occurs because it mishandles message verification failures when curl does FTP transfers secured by krb5. This flaw makes it possible for a Man-in-the-middle attack to go unnoticed and allows data injection into the client. (CVE-2022-32208)

 A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback () to ask for data to send, even when the option has been set if it previously used the same handle to issue a request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent request. (CVE-2022-32221)

 A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This issue effectively allows a sister site to deny service to siblings and cause a denial of service attack. (CVE-2022-35252)

 A vulnerability was found in curl. The issue occurs when curl is told to parse a `.netrc` file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, it can write a zero byte beyond its boundary. This issue, in most cases, causes a segfault or similar problem. A denial of service can occur if a malicious user can provide a custom netrc file to an application or otherwise affect its contents. (CVE-2022-35260)

 A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a `CONNECT` request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer:
 `dict,` `gopher,` `gophers,` `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet.` (CVE-2022-42915)

 A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) . (CVE-2022-42916)

 A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP.
 Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. (CVE-2022-43551)

 A vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a heap-allocated struct after it has been freed and shut down the code path in its transfer.
 (CVE-2022-43552)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update curl --releasever=2023.0.20230222 ' to update your system.

See Also

https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html

https://alas.aws.amazon.com/faqs.html

https://alas.aws.amazon.com/cve/html/CVE-2022-22576.html

https://alas.aws.amazon.com/cve/html/CVE-2022-27774.html

https://alas.aws.amazon.com/cve/html/CVE-2022-27775.html

https://alas.aws.amazon.com/cve/html/CVE-2022-27776.html

https://alas.aws.amazon.com/cve/html/CVE-2022-27779.html

https://alas.aws.amazon.com/cve/html/CVE-2022-27780.html

https://alas.aws.amazon.com/cve/html/CVE-2022-27781.html

https://alas.aws.amazon.com/cve/html/CVE-2022-27782.html

https://alas.aws.amazon.com/cve/html/CVE-2022-30115.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32205.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32206.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32207.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32208.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32221.html

https://alas.aws.amazon.com/cve/html/CVE-2022-35252.html

https://alas.aws.amazon.com/cve/html/CVE-2022-35260.html

https://alas.aws.amazon.com/cve/html/CVE-2022-42915.html

https://alas.aws.amazon.com/cve/html/CVE-2022-42916.html

https://alas.aws.amazon.com/cve/html/CVE-2022-43551.html

https://alas.aws.amazon.com/cve/html/CVE-2022-43552.html

Plugin Details

Severity: Critical

ID: 173171

File Name: al2023_ALAS2023-2023-083.nasl

Version: 1.7

Type: local

Agent: unix

Published: 3/21/2023

Updated: 12/11/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-32207

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-32221

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:libcurl, p-cpe:/a:amazon:linux:libcurl-devel, p-cpe:/a:amazon:linux:curl-debugsource, cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:curl, p-cpe:/a:amazon:linux:curl-debuginfo, p-cpe:/a:amazon:linux:curl-minimal, p-cpe:/a:amazon:linux:curl-minimal-debuginfo, p-cpe:/a:amazon:linux:libcurl-debuginfo, p-cpe:/a:amazon:linux:libcurl-minimal, p-cpe:/a:amazon:linux:libcurl-minimal-debuginfo

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2023

Vulnerability Publication Date: 4/28/2022

Reference Information

CVE: CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27779, CVE-2022-27780, CVE-2022-27781, CVE-2022-27782, CVE-2022-30115, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208, CVE-2022-32221, CVE-2022-35252, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916, CVE-2022-43551, CVE-2022-43552

IAVA: 2022-A-0224-S, 2022-A-0255-S, 2022-A-0350-S, 2022-A-0451-S, 2023-A-0008-S