Vulnerabilities > CVE-2012-0036 - SQL Injection vulnerability in Curl and Libcurl
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Object Relational Mapping Injection An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
- SQL Injection through SOAP Parameter Tampering An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
- Expanding Control over the Operating System from the Database An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
- SQL Injection This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_10_7_4.NASL description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components : - Login Window - Bluetooth - curl - HFS - Kernel - libarchive - libsecurity - libxml - LoginUIFramework - PHP - Quartz Composer - QuickTime - Ruby - Security Framework - Time Machine - X11 Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7. last seen 2020-06-01 modified 2020-06-02 plugin id 59066 published 2012-05-10 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59066 title Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3000) exit(0); # Avoid problems with large number of xrefs. include("compat.inc"); if (description) { script_id(59066); script_version("1.27"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-1004", "CVE-2011-1005", "CVE-2011-1777", "CVE-2011-1778", "CVE-2011-1944", "CVE-2011-2821", "CVE-2011-2834", "CVE-2011-2895", "CVE-2011-3212", "CVE-2011-3389", "CVE-2011-3919", "CVE-2011-4566", "CVE-2011-4815", "CVE-2011-4885", "CVE-2012-0036", "CVE-2012-0642", "CVE-2012-0649", "CVE-2012-0652", "CVE-2012-0654", "CVE-2012-0655", "CVE-2012-0656", "CVE-2012-0657", "CVE-2012-0658", "CVE-2012-0659", "CVE-2012-0660", "CVE-2012-0661", "CVE-2012-0662", "CVE-2012-0675", "CVE-2012-0830" ); script_bugtraq_id( 46458, 46460, 47737, 48056, 49124, 49279, 49658, 49778, 50907, 51193, 51198, 51300, 51665, 51830, 52364, 53456, 53457, 53459, 53462, 53465, 53466, 53467, 53468, 53469, 53470, 53471, 53473 ); script_xref(name:"TRA", value:"TRA-2012-02"); script_xref(name:"CERT", value:"864643"); script_xref(name:"ZDI", value:"ZDI-12-135"); script_name(english:"Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)"); script_summary(english:"Check the version of Mac OS X."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes several security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components : - Login Window - Bluetooth - curl - HFS - Kernel - libarchive - libsecurity - libxml - LoginUIFramework - PHP - Quartz Composer - QuickTime - Ruby - Security Framework - Time Machine - X11 Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7." ); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2012-02"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5281"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/May/msg00001.html"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-135"); script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2012/Aug/64"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute( attribute:"solution", value:"Upgrade to Mac OS X 10.7.4 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/18"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/10"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item("Host/OS"); if (isnull(os)) exit(0, "The 'Host/OS' KB item is missing."); if ("Mac OS X" >!< os) exit(0, "The host does not appear to be running Mac OS X."); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) exit(0, "The host does not appear to be running Mac OS X."); if (ereg(pattern:"Mac OS X 10\.7($|\.[0-3]([^0-9]|$))", string:os)) security_hole(0); else exit(0, "The host is not affected as it is running "+os+".");
NASL family SuSE Local Security Checks NASL id SUSE_11_4_CURL-120124.NASL description The following vulnerabilities have been fixed in curl : - IMAP, POP3 and SMTP URL sanitization vulnerability (CVE-2012-0036) - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (CVE-2011-3389) - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option for older openssl versions (CVE-2010-4180) last seen 2020-06-05 modified 2014-06-13 plugin id 75806 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75806 title openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update curl-5702. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75806); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2010-4180", "CVE-2011-3389", "CVE-2012-0036"); script_name(english:"openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)"); script_summary(english:"Check for the curl-5702 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The following vulnerabilities have been fixed in curl : - IMAP, POP3 and SMTP URL sanitization vulnerability (CVE-2012-0036) - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (CVE-2011-3389) - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option for older openssl versions (CVE-2010-4180)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=740452" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=742306" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2012-02/msg00032.html" ); script_set_attribute(attribute:"solution", value:"Update the affected curl packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.4", reference:"curl-7.21.2-10.11.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"curl-debuginfo-7.21.2-10.11.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"libcurl-devel-7.21.2-10.11.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"libcurl4-7.21.2-10.11.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"libcurl4-debuginfo-7.21.2-10.11.1") ) flag++; if ( rpm_check(release:"SUSE11.4", cpu:"x86_64", reference:"libcurl4-32bit-7.21.2-10.11.1") ) flag++; if ( rpm_check(release:"SUSE11.4", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.21.2-10.11.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / libcurl-devel / libcurl4 / libcurl4-32bit / curl-debuginfo / etc"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1346-1.NASL description Dan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 57689 published 2012-01-25 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57689 title Ubuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1346-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(57689); script_version("1.9"); script_cvs_date("Date: 2019/09/19 12:54:27"); script_cve_id("CVE-2012-0036"); script_xref(name:"USN", value:"1346-1"); script_name(english:"Ubuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Dan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1346-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libcurl3, libcurl3-gnutls and / or libcurl3-nss packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-gnutls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-nss"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(10\.10|11\.04|11\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.10 / 11.04 / 11.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"10.10", pkgname:"libcurl3", pkgver:"7.21.0-1ubuntu1.3")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libcurl3-gnutls", pkgver:"7.21.0-1ubuntu1.3")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"libcurl3", pkgver:"7.21.3-1ubuntu1.5")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"libcurl3-gnutls", pkgver:"7.21.3-1ubuntu1.5")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"libcurl3-nss", pkgver:"7.21.3-1ubuntu1.5")) flag++; if (ubuntu_check(osver:"11.10", pkgname:"libcurl3", pkgver:"7.21.6-3ubuntu3.2")) flag++; if (ubuntu_check(osver:"11.10", pkgname:"libcurl3-gnutls", pkgver:"7.21.6-3ubuntu3.2")) flag++; if (ubuntu_check(osver:"11.10", pkgname:"libcurl3-nss", pkgver:"7.21.6-3ubuntu3.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libcurl3 / libcurl3-gnutls / libcurl3-nss"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2012-0888.NASL description reject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-02-13 plugin id 57897 published 2012-02-13 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57897 title Fedora 15 : curl-7.21.3-13.fc15 (2012-0888) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-0888. # include("compat.inc"); if (description) { script_id(57897); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-0036"); script_bugtraq_id(51665); script_xref(name:"FEDORA", value:"2012-0888"); script_name(english:"Fedora 15 : curl-7.21.3-13.fc15 (2012-0888)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "reject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=773457" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-February/073162.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c0fc804d" ); script_set_attribute(attribute:"solution", value:"Update the affected curl package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:curl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC15", reference:"curl-7.21.3-13.fc15")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2012-0894.NASL description reject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-01-30 plugin id 57719 published 2012-01-30 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57719 title Fedora 16 : curl-7.21.7-6.fc16 (2012-0894) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-0894. # include("compat.inc"); if (description) { script_id(57719); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-0036"); script_bugtraq_id(51665); script_xref(name:"FEDORA", value:"2012-0894"); script_name(english:"Fedora 16 : curl-7.21.7-6.fc16 (2012-0894)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "reject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=773457" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-January/072531.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1f90ccf0" ); script_set_attribute(attribute:"solution", value:"Update the affected curl package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:curl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"curl-7.21.7-6.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-76.NASL description - Fix IMAP, POP3 and SMTP URL sanitization (bnc#740452, CVE-2012-0036) - Disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option when built against an older OpenSSL version (CVE-2010-4180). - Don last seen 2020-06-05 modified 2014-06-13 plugin id 74807 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74807 title openSUSE Security Update : curl (openSUSE-2012-76) (BEAST) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2012-76. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(74807); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2010-4180", "CVE-2011-3389", "CVE-2012-0036"); script_name(english:"openSUSE Security Update : curl (openSUSE-2012-76) (BEAST)"); script_summary(english:"Check for the openSUSE-2012-76 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Fix IMAP, POP3 and SMTP URL sanitization (bnc#740452, CVE-2012-0036) - Disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option when built against an older OpenSSL version (CVE-2010-4180). - Don't enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (bnc#742306, CVE-2011-3389)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=740452" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=742306" ); script_set_attribute(attribute:"solution", value:"Update the affected curl packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.1"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/30"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.1", reference:"curl-7.22.0-2.3.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"curl-debuginfo-7.22.0-2.3.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"libcurl-devel-7.22.0-2.3.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"libcurl4-7.22.0-2.3.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"libcurl4-debuginfo-7.22.0-2.3.1") ) flag++; if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"libcurl4-32bit-7.22.0-2.3.1") ) flag++; if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.22.0-2.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-debuginfo / libcurl-devel / libcurl4-32bit / libcurl4 / etc"); }
NASL family Web Servers NASL id HPSMH_7_1_1_1.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 59851 published 2012-07-05 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59851 title HP System Management Homepage < 7.1.1 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2012-058.NASL description Multiple vulnerabilities has been found and corrected in curl : curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. A work-around has been added to mitigate the problem (CVE-2011-3389). curl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs (CVE-2012-0036). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 58759 published 2012-04-16 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58759 title Mandriva Linux Security Advisory : curl (MDVSA-2012:058) NASL family SuSE Local Security Checks NASL id SUSE_CURL-7937.NASL description This update to curl fixes the following security issue : - Don last seen 2020-06-05 modified 2012-02-06 plugin id 57842 published 2012-02-06 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57842 title SuSE 10 Security Update : curl (ZYPP Patch Number 7937) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201203-02.NASL description The remote host is affected by the vulnerability described in GLSA-201203-02 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been found in cURL: When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734). When performing GSSAPI authentication, credential delegation is always used (CVE-2011-2192). When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389). libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036). Impact : A remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able to impersonate clients via GSSAPI requests. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 58212 published 2012-03-06 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58212 title GLSA-201203-02 : cURL: Multiple vulnerabilities (BEAST) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2398.NASL description Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2011-3389 This update enables OpenSSL workarounds against the last seen 2020-03-17 modified 2012-01-31 plugin id 57738 published 2012-01-31 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57738 title Debian DSA-2398-2 : curl - several vulnerabilities (BEAST)
References
- http://curl.haxx.se/curl-url-sanitize.patch
- http://curl.haxx.se/docs/adv_20120124.html
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://secunia.com/advisories/48256
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://support.apple.com/kb/HT5281
- http://www.debian.org/security/2012/dsa-2398
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/51665
- http://www.securitytracker.com/id/1032924
- https://bugzilla.redhat.com/show_bug.cgi?id=773457
- https://github.com/bagder/curl/commit/75ca568fa1c19de4c5358fed246686de8467c238
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03760en_us