FreeBSD : cURL -- multiple vulnerabilities (6294f75f-03f2-11e5-aab1-d050996490d0)

medium Nessus Plugin ID 83842
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

cURL reports :

libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient, and completely transparent connection re-use for applications.

When doing HTTP requests NTLM authenticated, the entire connection becomes authenticated and not just the specific HTTP request which is otherwise how HTTP works. This makes NTLM special and a subject for special treatment in the code. With NTLM, once the connection is authenticated, no further authentication is necessary until the connection gets closed.

When doing HTTP requests Negotiate authenticated, the entire connection may become authenticated and not just the specific HTTP request which is otherwise how HTTP works, as Negotiate can basically use NTLM under the hood. curl was not adhering to this fact but would assume that such requests would also be authenticated per request.

libcurl supports HTTP 'cookies' as documented in RFC 6265. Together with each individual cookie there are several different properties, but for this vulnerability we focus on the associated 'path' element.
It tells information about for which path on a given host the cookies is valid.

The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to.

There is a private function in libcurl called fix_hostname() that removes a trailing dot from the host name if there is one. The function is called after the host name has been extracted from the URL libcurl has been told to act on.

If a URL is given with a zero-length host name, like in 'http://:80' or just ':80', fix_hostname() will index the host name pointer with a
-1 offset (as it blindly assumes a non-zero length) and both read and assign that address.

Solution

Update the affected package.

See Also

https://curl.haxx.se/docs/CVE-2015-3143.html

https://curl.haxx.se/docs/CVE-2015-3148.html

https://curl.haxx.se/docs/CVE-2015-3145.html

https://curl.haxx.se/docs/CVE-2015-3144.html

http://www.nessus.org/u?49129c0d

Plugin Details

Severity: Medium

ID: 83842

File Name: freebsd_pkg_6294f75f03f211e5aab1d050996490d0.nasl

Version: 2.6

Type: local

Published: 5/27/2015

Updated: 1/6/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:curl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/26/2015

Vulnerability Publication Date: 4/22/2015

Reference Information

CVE: CVE-2014-3143, CVE-2014-3144, CVE-2014-3145, CVE-2014-3148