cURL/libcurl 7.x < 7.51.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9826

Synopsis

The host is running a version of cURL/libcurl that is vulnerable to multiple attack vectors.

Description

Versions of cURL and libcurl prior to 7.51.0 are affected by multiple vulnerabilities :

- A flaw exists in the International Domain Names (IDNA) handling when translating domain names to Punycode for DNS resolving. The issue is triggered as the outdated IDNA 2003 standard is used instead of IDNA 2008 for e.g. for the German 'LATIN SMALL LETTER SHARP S' Unicode character. This may result in incorrect translation for a domain name and in turn network traffic being directed to a different host than intended. (OSVDB 146555)
- A flaw exists in the 'ConnectionExists()' function in 'lib/url.c' that is triggered when checking credentials supplied for reused connections, as the comparison is case-insensitive. This may allow a remote attacker to authenticate without knowing the proper case of the username and password. (OSVDB 146565)
- An integer truncation flaw exists in the 'curl_easy_unescape()' function in 'lib/escape.c' that is triggered when handling overly large URLs. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code. (OSVDB 146567)
- An integer overflow condition exists in the 'base64_encode()' function in 'lib/base64.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code. (OSVDB 146568)
- A flaw exists in the 'alloc_addbyter()' function in 'lib/mprintf.c' that is triggered as overly long input is not properly validated when supplied to the 'curl_maprintf()' API method. This may allow a context-dependent attacker to free already freed memory and crash a process linked against the library. (OSVDB 146569)
- A use-after-free error exists in 'lib/cookie.c' that is triggered when handling shared cookies. This may allow a context-dependent attacker to dereference already freed memory and potentially disclose memory contents. (OSVDB 146570)
- A flaw exists in the 'parseurlandfillconn()' function in 'lib/url.c' that is triggered when parsing the authority component of an URL with the hostname part ending in a '#' character. This may allow a context-dependent attacker to establish a connection to a different host than intended. (OSVDB 146571)
- A double-free error exists in the 'read_data()' function in 'lib/security.c' that is triggered when handling Kerberos authentication. This may allow a context-dependent attacker to free already freed memory and have an unspecified impact. (OSVDB 146572)
- A flaw exists in the 'Curl_cookie_init()' function in 'lib/cookie.c' that is triggered when handling cookies. This may allow a context-dependent attacker to inject new cookies for arbitrary domains. (OSVDB 146573)
- An out-of-bounds read flaw exists in the 'parsedate()' function in 'lib/parsedate.c' that is triggered when handling dates. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (OSVDB 146574)
- An out-of-bounds access flaw exists in 'tool_urlglob.c' within the globbing feature. This may allow a context-dependent attacker to potentially disclose memory contents or execute arbitrary code. (OSVDB 146575)

Solution

Upgrade to cURL/libcurl 7.51.0 or later.

See Also

https://curl.haxx.se/docs/adv_20161102F.html

Plugin Details

Severity: High

ID: 9826

File Name: 9826.prm

Family: Web Clients

Published: 2016/12/09

Modified: 2016/12/09

Dependencies: 9772

Nessus ID: 9764

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:haxx:curl

Patch Publication Date: 2016/11/02

Vulnerability Publication Date: 2016/10/31

Reference Information

CVE: CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625

BID: 94094, 94096, 94097, 94098, 94100, 94101, 94102, 94103, 94105, 94106, 94107