NewStart CGSL MAIN 6.02 : curl Multiple Vulnerabilities (NS-SA-2024-0050)

critical Nessus Plugin ID 206854

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has curl packages installed that are affected by multiple vulnerabilities:

- The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. (CVE-2009-0037)

- The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. (CVE-2011-2192)

- curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol. (CVE-2012-0036)

- Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. (CVE-2013-0249)

- The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. (CVE-2013-1944)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL curl packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2024-0050

https://security.gd-linux.com/info/CVE-2009-0037

https://security.gd-linux.com/info/CVE-2011-2192

https://security.gd-linux.com/info/CVE-2012-0036

https://security.gd-linux.com/info/CVE-2013-0249

https://security.gd-linux.com/info/CVE-2013-1944

https://security.gd-linux.com/info/CVE-2013-2174

https://security.gd-linux.com/info/CVE-2014-0015

https://security.gd-linux.com/info/CVE-2014-0138

https://security.gd-linux.com/info/CVE-2014-3613

https://security.gd-linux.com/info/CVE-2014-3620

https://security.gd-linux.com/info/CVE-2014-3707

https://security.gd-linux.com/info/CVE-2014-8150

https://security.gd-linux.com/info/CVE-2016-8621

https://security.gd-linux.com/info/CVE-2016-8622

https://security.gd-linux.com/info/CVE-2016-8623

https://security.gd-linux.com/info/CVE-2016-8624

https://security.gd-linux.com/info/CVE-2016-8625

https://security.gd-linux.com/info/CVE-2016-9586

https://security.gd-linux.com/info/CVE-2017-1000099

https://security.gd-linux.com/info/CVE-2017-1000100

https://security.gd-linux.com/info/CVE-2017-1000101

https://security.gd-linux.com/info/CVE-2017-1000254

https://security.gd-linux.com/info/CVE-2017-1000257

https://security.gd-linux.com/info/CVE-2017-2629

https://security.gd-linux.com/info/CVE-2017-7407

https://security.gd-linux.com/info/CVE-2017-7468

https://security.gd-linux.com/info/CVE-2017-8816

https://security.gd-linux.com/info/CVE-2017-8817

https://security.gd-linux.com/info/CVE-2017-8818

https://security.gd-linux.com/info/CVE-2018-0500

https://security.gd-linux.com/info/CVE-2018-1000005

https://security.gd-linux.com/info/CVE-2018-1000007

https://security.gd-linux.com/info/CVE-2018-1000120

https://security.gd-linux.com/info/CVE-2018-1000121

https://security.gd-linux.com/info/CVE-2018-1000122

https://security.gd-linux.com/info/CVE-2018-1000300

https://security.gd-linux.com/info/CVE-2018-1000301

https://security.gd-linux.com/info/CVE-2018-16839

https://security.gd-linux.com/info/CVE-2018-16840

https://security.gd-linux.com/info/CVE-2018-16842

https://security.gd-linux.com/info/CVE-2023-38546

https://security.gd-linux.com/info/CVE-2015-3143

https://security.gd-linux.com/info/CVE-2015-3144

https://security.gd-linux.com/info/CVE-2015-3145

https://security.gd-linux.com/info/CVE-2015-3148

https://security.gd-linux.com/info/CVE-2015-3153

https://security.gd-linux.com/info/CVE-2015-3236

https://security.gd-linux.com/info/CVE-2015-3237

https://security.gd-linux.com/info/CVE-2016-0755

https://security.gd-linux.com/info/CVE-2016-5419

https://security.gd-linux.com/info/CVE-2016-5420

https://security.gd-linux.com/info/CVE-2016-5421

https://security.gd-linux.com/info/CVE-2016-7167

https://security.gd-linux.com/info/CVE-2016-8615

https://security.gd-linux.com/info/CVE-2016-8616

https://security.gd-linux.com/info/CVE-2016-8617

https://security.gd-linux.com/info/CVE-2016-8618

https://security.gd-linux.com/info/CVE-2016-8619

https://security.gd-linux.com/info/CVE-2016-8620

Plugin Details

Severity: Critical

ID: 206854

File Name: newstart_cgsl_NS-SA-2024-0050_curl.nasl

Version: 1.2

Type: local

Published: 9/10/2024

Updated: 9/10/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2015-3144

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2018-16840

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:libcurl-devel, p-cpe:/a:zte:cgsl_main:libcurl, p-cpe:/a:zte:cgsl_main:curl

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/3/2024

Vulnerability Publication Date: 3/3/2009

Reference Information

CVE: CVE-2009-0037, CVE-2011-2192, CVE-2012-0036, CVE-2013-0249, CVE-2013-1944, CVE-2013-2174, CVE-2014-0015, CVE-2014-0138, CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150, CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153, CVE-2015-3236, CVE-2015-3237, CVE-2016-0755, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-2629, CVE-2017-7407, CVE-2017-7468, CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-0500, CVE-2018-1000005, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000300, CVE-2018-1000301, CVE-2018-16839, CVE-2018-16840, CVE-2018-16842, CVE-2023-38546

IAVA: 2023-A-0531-S