Vulnerabilities > CVE-2015-3143 - Permissions, Privileges, and Access Controls vulnerability in multiple products

cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

Vulnerable Configurations

Part	Description	Count
Application	Haxx Haxx Curl 7.21.3 Haxx Curl 7.15.1 Haxx Curl 7.24.0 Haxx Curl 7.16.1 Haxx Curl 7.13.0 Haxx Curl 7.35.0 Haxx Curl 7.18.0 Haxx Curl 7.14.1 Haxx Curl 7.21.5 Haxx Curl 7.21.1 Haxx Curl 7.12.1 Haxx Curl 7.32.0 Haxx Curl 7.16.2 Haxx Curl 7.40.0 Haxx Curl 7.17.1 Haxx Curl 7.19.1 Haxx Curl 7.12.2 Haxx Curl 7.15.2 Haxx Curl 7.19.6 Haxx Curl 7.29.0 Haxx Curl 7.15.0 Haxx Curl 7.22.0 Haxx Curl 7.33.0 Haxx Curl 7.16.0 Haxx Curl 7.10.6 Haxx Curl 7.13.1 Haxx Curl 7.10.8 Haxx Curl 7.20.0 Haxx Curl 7.20.1 Haxx Curl 7.26.0 Haxx Curl 7.19.7 Haxx Curl 7.19.3 Haxx Curl 7.23.1 Haxx Curl 7.25.0 Haxx Curl 7.36.0 Haxx Curl 7.19.0 Haxx Curl 7.12.0 Haxx Curl 7.21.6 Haxx Curl 7.30.0 Haxx Curl 7.27.0 Haxx Curl 7.38.0 Haxx Curl 7.17.0 Haxx Curl 7.12.3 Haxx Curl 7.14.0 Haxx Curl 7.19.4 Haxx Curl 7.15.3 Haxx Curl 7.15.5 Haxx Curl 7.21.2 Haxx Curl 7.31.0 Haxx Curl 7.11.2 Haxx Curl 7.16.4 Haxx Curl 7.41.0 Haxx Curl 7.10.7 Haxx Curl 7.34.0 Haxx Curl 7.21.0 Haxx Curl 7.13.2 Haxx Curl 7.28.0 Haxx Curl 7.11.1 Haxx Curl 7.23.0 Haxx Curl 7.28.1 Haxx Curl 7.18.1 Haxx Curl 7.18.2 Haxx Curl 7.37.1 Haxx Curl 7.21.4 Haxx Curl 7.19.2 Haxx Curl 7.39.0 Haxx Curl 7.16.3 Haxx Curl 7.21.7 Haxx Curl 7.15.4 Haxx Curl 7.19.5 Haxx Curl 7.11.0 Haxx Libcurl 7.19.0 Haxx Libcurl 7.19.6 Haxx Libcurl 7.21.2 Haxx Libcurl 7.11.2 Haxx Libcurl 7.37.0 Haxx Libcurl 7.40.0 Haxx Libcurl 7.17.1 Haxx Libcurl 7.19.4 Haxx Libcurl 7.30.0 Haxx Libcurl 7.25.0 Haxx Libcurl 7.12.0 Haxx Libcurl 7.21.3 Haxx Libcurl 7.16.4 Haxx Libcurl 7.12.3 Haxx Libcurl 7.33.0 Haxx Libcurl 7.18.0 Haxx Libcurl 7.23.0 Haxx Libcurl 7.19.1 Haxx Libcurl 7.26.0 Haxx Libcurl 7.36.0 Haxx Libcurl 7.15.2 Haxx Libcurl 7.16.0 Haxx Libcurl 7.16.2 Haxx Libcurl 7.34.0 Haxx Libcurl 7.31.0 Haxx Libcurl 7.15.5 Haxx Libcurl 7.35.0 Haxx Libcurl 7.22.0 Haxx Libcurl 7.20.0 Haxx Libcurl 7.21.0 Haxx Libcurl 7.14.1 Haxx Libcurl 7.28.0 Haxx Libcurl 7.11.1 Haxx Libcurl 7.18.2 Haxx Libcurl 7.13.0 Haxx Libcurl 7.21.5 Haxx Libcurl 7.15.1 Haxx Libcurl 7.19.3 Haxx Libcurl 7.17.0 Haxx Libcurl 7.24.0 Haxx Libcurl 7.13.1 Haxx Libcurl 7.10.8 Haxx Libcurl 7.27.0 Haxx Libcurl 7.15.3 Haxx Libcurl 7.19.7 Haxx Libcurl 7.12.1 Haxx Libcurl 7.10.6 Haxx Libcurl 7.41.0 Haxx Libcurl 7.23.1 Haxx Libcurl 7.21.6 Haxx Libcurl 7.19.5 Haxx Libcurl 7.14.0 Haxx Libcurl 7.21.7 Haxx Libcurl 7.21.1 Haxx Libcurl 7.38.0 Haxx Libcurl 7.16.3 Haxx Libcurl 7.13.2 Haxx Libcurl 7.15.4 Haxx Libcurl 7.20.1 Haxx Libcurl 7.11.0 Haxx Libcurl 7.16.1 Haxx Libcurl 7.32.0 Haxx Libcurl 7.29.0 Haxx Libcurl 7.37.1 Haxx Libcurl 7.18.1 Haxx Libcurl 7.10.7 Haxx Libcurl 7.28.1 Haxx Libcurl 7.12.2 Haxx Libcurl 7.39 Haxx Libcurl 7.15.0 Haxx Libcurl 7.21.4 Haxx Libcurl 7.19.2	143
Application	Hp HP System Management Homepage - HP System Management Homepage 2.0.0 HP System Management Homepage 2.0.1 HP System Management Homepage 2.0.1.104 HP System Management Homepage 2.0.2 HP System Management Homepage 2.0.2.106 HP System Management Homepage 2.1 HP System Management Homepage 2.1.0-103 HP System Management Homepage 2.1.0-103$A$ HP System Management Homepage 2.1.0-109 HP System Management Homepage 2.1.0-118 HP System Management Homepage 2.1.0.121 HP System Management Homepage 2.1.1 HP System Management Homepage 2.1.2 HP System Management Homepage 2.1.2-127 HP System Management Homepage 2.1.2.127 HP System Management Homepage 2.1.3 HP System Management Homepage 2.1.3.132 HP System Management Homepage 2.1.4 HP System Management Homepage 2.1.4-143 HP System Management Homepage 2.1.4.143 HP System Management Homepage 2.1.5 HP System Management Homepage 2.1.5-146 HP System Management Homepage 2.1.5.146 HP System Management Homepage 2.1.6 HP System Management Homepage 2.1.6-156 HP System Management Homepage 2.1.6.156 HP System Management Homepage 2.1.7 HP System Management Homepage 2.1.7-168 HP System Management Homepage 2.1.7.168 HP System Management Homepage 2.1.8 HP System Management Homepage 2.1.8-177 HP System Management Homepage 2.1.8.179 HP System Management Homepage 2.1.9 HP System Management Homepage 2.1.9-178 HP System Management Homepage 2.1.10 HP System Management Homepage 2.1.10-186 HP System Management Homepage 2.1.10.186 HP System Management Homepage 2.1.11 HP System Management Homepage 2.1.11-197 HP System Management Homepage 2.1.11.197 HP System Management Homepage 2.1.12-118 HP System Management Homepage 2.1.12-200 HP System Management Homepage 2.1.12.201 HP System Management Homepage 2.1.14 HP System Management Homepage 2.1.14.20 HP System Management Homepage 2.1.15 HP System Management Homepage 2.1.15-210 HP System Management Homepage 2.1.15.210 HP System Management Homepage 2.2.6 HP System Management Homepage 2.2.8 HP System Management Homepage 3.0.0 HP System Management Homepage 3.0.0-68 HP System Management Homepage 3.0.0.64 HP System Management Homepage 3.0.1 HP System Management Homepage 3.0.1-73 HP System Management Homepage 3.0.1.73 HP System Management Homepage 3.0.2 HP System Management Homepage 3.0.2-77 HP System Management Homepage 3.0.2.77 HP System Management Homepage 3.2.2 HP System Management Homepage 3.2.7 HP System Management Homepage 6.0 HP System Management Homepage 6.0.0-95 HP System Management Homepage 6.0.0.96 HP System Management Homepage 6.1 HP System Management Homepage 6.1.0-103 HP System Management Homepage 6.1.0.102 HP System Management Homepage 6.2.0 HP System Management Homepage 6.2.2.7 HP System Management Homepage 6.3.0 HP System Management Homepage 6.3.1 HP System Management Homepage 7.0 HP System Management Homepage 7.1 HP System Management Homepage 7.2 HP System Management Homepage 7.2.1 HP System Management Homepage 7.4.0 HP System Management Homepage 7.5.3.1	82
OS	Canonical Canonical Ubuntu Linux 12.04 Canonical Ubuntu Linux 14.10 Canonical Ubuntu Linux 14.04 Canonical Ubuntu Linux 15.04	4
OS	Debian Debian Debian Linux 7.0	1
OS	Apple Apple MAC OS X 10.10.0 Apple MAC OS X - Apple MAC OS X 10.0 Apple MAC OS X 10.0.0 Apple MAC OS X 10.0.1 Apple MAC OS X 10.0.2 Apple MAC OS X 10.0.3 Apple MAC OS X 10.0.4 Apple MAC OS X 10.1 Apple MAC OS X 10.1.0 Apple MAC OS X 10.1.1 Apple MAC OS X 10.1.2 Apple MAC OS X 10.1.3 Apple MAC OS X 10.1.4 Apple MAC OS X 10.1.5 Apple MAC OS X 10.2 Apple MAC OS X 10.2.0 Apple MAC OS X 10.2.1 Apple MAC OS X 10.2.2 Apple MAC OS X 10.2.3 Apple MAC OS X 10.2.4 Apple MAC OS X 10.2.5 Apple MAC OS X 10.2.6 Apple MAC OS X 10.2.7 Apple MAC OS X 10.2.8 Apple MAC OS X 10.3 Apple MAC OS X 10.3.0 Apple MAC OS X 10.3.1 Apple MAC OS X 10.3.2 Apple MAC OS X 10.3.3 Apple MAC OS X 10.3.4 Apple MAC OS X 10.3.5 Apple MAC OS X 10.3.6 Apple MAC OS X 10.3.7 Apple MAC OS X 10.3.8 Apple MAC OS X 10.3.9 Apple MAC OS X 10.4 Apple MAC OS X 10.4.0 Apple MAC OS X 10.4.1 Apple MAC OS X 10.4.2 Apple MAC OS X 10.4.3 Apple MAC OS X 10.4.4 Apple MAC OS X 10.4.5 Apple MAC OS X 10.4.6 Apple MAC OS X 10.4.7 Apple MAC OS X 10.4.8 Apple MAC OS X 10.4.9 Apple MAC OS X 10.4.10 Apple MAC OS X 10.4.11 Apple MAC OS X 10.5 Apple MAC OS X 10.5.0 Apple MAC OS X 10.5.1 Apple MAC OS X 10.5.2 Apple MAC OS X 10.5.3 Apple MAC OS X 10.5.4 Apple MAC OS X 10.5.5 Apple MAC OS X 10.5.6 Apple MAC OS X 10.5.7 Apple MAC OS X 10.5.8 Apple MAC OS X 10.6.0 Apple MAC OS X 10.6.1 Apple MAC OS X 10.6.2 Apple MAC OS X 10.6.3 Apple MAC OS X 10.6.4 Apple MAC OS X 10.6.5 Apple MAC OS X 10.6.6 Apple MAC OS X 10.6.7 Apple MAC OS X 10.6.8 Apple MAC OS X 10.7.0 Apple MAC OS X 10.7.1 Apple MAC OS X 10.7.2 Apple MAC OS X 10.7.3 Apple MAC OS X 10.7.4 Apple MAC OS X 10.7.5 Apple MAC OS X 10.8.0 Apple MAC OS X 10.8.1 Apple MAC OS X 10.8.2 Apple MAC OS X 10.8.3 Apple MAC OS X 10.8.4 Apple MAC OS X 10.8.5 Apple MAC OS X 10.9 Apple MAC OS X 10.9.1 Apple MAC OS X 10.9.2 Apple MAC OS X 10.9.3 Apple MAC OS X 10.9.4 Apple MAC OS X 10.9.5 Apple MAC OS X 10.10.4 Apple MAC OS X 10.10.1 Apple MAC OS X 10.10.3 Apple MAC OS X 10.10.2	92

Common Weakness Enumeration (CWE)

CWE-264 - Permissions, Privileges, and Access Controls

Common Attack Pattern Enumeration and Classification (CAPEC)

Accessing, Modifying or Executing Executable Files
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Blue Boxing
This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
Restful Privilege Elevation
Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2015-0962-1.NASL
description	The curl tool and libcurl4 library have been updated to fix several security and non-security issues. The following vulnerabilities have been fixed : CVE-2015-3143: Re-using authenticated connection when unauthenticated. (bsc#927556) CVE-2015-3148: Negotiate not treated as connection-oriented. (bsc#927746) CVE-2015-3153: Sensitive HTTP server headers also sent to proxies. (bsc#928533) The following non-security issue has been fixed : git fails to clone from https repository. (bsc#927174) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	83903
published	2015-05-29
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/83903
title	SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2015:0962-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2015:0962-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(83903); script_version("2.10"); script_cvs_date("Date: 2019/09/11 11:22:12"); script_cve_id("CVE-2015-3143", "CVE-2015-3148", "CVE-2015-3153"); script_bugtraq_id(74299, 74301, 74408); script_name(english:"SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2015:0962-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The curl tool and libcurl4 library have been updated to fix several security and non-security issues. The following vulnerabilities have been fixed : CVE-2015-3143: Re-using authenticated connection when unauthenticated. (bsc#927556) CVE-2015-3148: Negotiate not treated as connection-oriented. (bsc#927746) CVE-2015-3153: Sensitive HTTP server headers also sent to proxies. (bsc#928533) The following non-security issue has been fixed : git fails to clone from https repository. (bsc#927174) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=927174" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=927556" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=927746" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=928533" ); # https://download.suse.com/patch/finder/?keywords=15283cac05d947363283c7ddcb466af0 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?386b8563" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3143/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3148/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3153/" ); # https://www.suse.com/support/update/announcement/2015/suse-su-20150962-1.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0afcc3ad" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11 SP3 : zypper in -t patch sdksp3-curl=10660 SUSE Linux Enterprise Server 11 SP3 for VMware : zypper in -t patch slessp3-curl=10660 SUSE Linux Enterprise Server 11 SP3 : zypper in -t patch slessp3-curl=10660 SUSE Linux Enterprise Desktop 11 SP3 : zypper in -t patch sledsp3-curl=10660 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libcurl4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED11\|SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED11 / SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp); if (os_ver == "SLED11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED11 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"libcurl4-32bit-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"libcurl4-32bit-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"curl-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"libcurl4-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"x86_64", reference:"curl-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"x86_64", reference:"libcurl4-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"x86_64", reference:"libcurl4-32bit-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"i586", reference:"curl-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"i586", reference:"libcurl4-7.19.7-1.42.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2015-2159.NASL
description	Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-06-01
modified	2020-06-02
plugin id	86934
published	2015-11-19
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/86934
title	RHEL 7 : curl (RHSA-2015:2159)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:2159. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(86934); script_version("2.11"); script_cvs_date("Date: 2019/10/24 15:35:40"); script_cve_id("CVE-2014-3613", "CVE-2014-3707", "CVE-2014-8150", "CVE-2015-3143", "CVE-2015-3148"); script_xref(name:"RHSA", value:"2015:2159"); script_name(english:"RHEL 7 : curl (RHSA-2015:2159)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API. (BZ#1154060) * TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API. (BZ#1170339) * FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers. (BZ#1218272) Enhancements : * With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol. (BZ#1066065) * The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket. (BZ#1091429) * The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs. (BZ#1130239) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2015:2159" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-3613" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-3707" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-8150" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-3143" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-3148" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libcurl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libcurl-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2015:2159"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"curl-7.29.0-25.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"curl-7.29.0-25.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"curl-debuginfo-7.29.0-25.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"libcurl-7.29.0-25.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"libcurl-devel-7.29.0-25.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-debuginfo / libcurl / libcurl-devel"); } }

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2015-0107.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - require credentials to match for NTLM re-use (CVE-2015-3143) - close Negotiate connections when done (CVE-2015-3148) - reject CRLFs in URLs passed to proxy (CVE-2014-8150) - use only full matches for hosts used as IP address in cookies (CVE-2014-3613) - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) - fix manpage typos found using aspell (#1011101) - fix comments about loading CA certs with NSS in man pages (#1011083) - fix handling of DNS cache timeout while a transfer is in progress (#835898) - eliminate unnecessary inotify events on upload via file protocol (#883002) - use correct socket type in the examples (#997185) - do not crash if MD5 fingerprint is not provided by libssh2 (#1008178) - fix SIGSEGV of curl --retry when network is down (#1009455) - allow to use TLS 1.1 and TLS 1.2 (#1012136) - docs: update the links to cipher-suites supported by NSS (#1104160) - allow to use ECC ciphers if NSS implements them (#1058767) - make curl --trace-time print correct time (#1120196) - let tool call PR_Cleanup on exit if NSPR is used (#1146528) - ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747) - allow to enable/disable new AES cipher-suites (#1156422) - include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163) - disable libcurl-level downgrade to SSLv3 (#1154059) - do not force connection close after failed HEAD request (#1168137) - fix occasional SIGSEGV during SSL handshake (#1168668) - fix a connection failure when FTPS handle is reused (#1154663) - fix re-use of wrong HTTP NTLM connection (CVE-2014-0015) - fix connection re-use when using different log-in credentials (CVE-2014-0138) - fix authentication failure when server offers multiple auth options (#799557) - refresh expired cookie in test172 from upstream test-suite (#1069271) - fix a memory leak caused by write after close (#1078562) - nss: implement non-blocking SSL handshake (#1083742)
last seen	2020-06-01
modified	2020-06-02
plugin id	85148
published	2015-07-31
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85148
title	OracleVM 3.3 : curl (OVMSA-2015-0107)
code	# # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2015-0107. # include("compat.inc"); if (description) { script_id(85148); script_version("2.4"); script_cvs_date("Date: 2019/09/27 13:00:34"); script_cve_id("CVE-2014-0015", "CVE-2014-0138", "CVE-2014-3613", "CVE-2014-3707", "CVE-2014-8150", "CVE-2015-3143", "CVE-2015-3148"); script_bugtraq_id(65270, 66457, 69748, 70988, 71964, 74299, 74301); script_name(english:"OracleVM 3.3 : curl (OVMSA-2015-0107)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - require credentials to match for NTLM re-use (CVE-2015-3143) - close Negotiate connections when done (CVE-2015-3148) - reject CRLFs in URLs passed to proxy (CVE-2014-8150) - use only full matches for hosts used as IP address in cookies (CVE-2014-3613) - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) - fix manpage typos found using aspell (#1011101) - fix comments about loading CA certs with NSS in man pages (#1011083) - fix handling of DNS cache timeout while a transfer is in progress (#835898) - eliminate unnecessary inotify events on upload via file protocol (#883002) - use correct socket type in the examples (#997185) - do not crash if MD5 fingerprint is not provided by libssh2 (#1008178) - fix SIGSEGV of curl --retry when network is down (#1009455) - allow to use TLS 1.1 and TLS 1.2 (#1012136) - docs: update the links to cipher-suites supported by NSS (#1104160) - allow to use ECC ciphers if NSS implements them (#1058767) - make curl --trace-time print correct time (#1120196) - let tool call PR_Cleanup on exit if NSPR is used (#1146528) - ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747) - allow to enable/disable new AES cipher-suites (#1156422) - include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163) - disable libcurl-level downgrade to SSLv3 (#1154059) - do not force connection close after failed HEAD request (#1168137) - fix occasional SIGSEGV during SSL handshake (#1168668) - fix a connection failure when FTPS handle is reused (#1154663) - fix re-use of wrong HTTP NTLM connection (CVE-2014-0015) - fix connection re-use when using different log-in credentials (CVE-2014-0138) - fix authentication failure when server offers multiple auth options (#799557) - refresh expired cookie in test172 from upstream test-suite (#1069271) - fix a memory leak caused by write after close (#1078562) - nss: implement non-blocking SSL handshake (#1083742)" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2015-July/000355.html" ); script_set_attribute( attribute:"solution", value:"Update the affected curl / libcurl packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:libcurl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.3"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/01"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) \|\| "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.3" + "(\.[0-9]\|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.3", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.3", reference:"curl-7.19.7-46.el6")) flag++; if (rpm_check(release:"OVS3.3", reference:"libcurl-7.19.7-46.el6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / libcurl"); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-211.NASL
description	Several vulnerabilities were discovered in cURL, an URL transfer library : CVE-2015-3143 NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user. This is similar to the issue fixed in DSA-2849-1. CVE-2015-3148 When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2015-04-30
plugin id	83143
published	2015-04-30
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83143
title	Debian DLA-211-1 : curl security update
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-211-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(83143); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-3143", "CVE-2015-3148"); script_bugtraq_id(74299, 74301); script_name(english:"Debian DLA-211-1 : curl security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in cURL, an URL transfer library : CVE-2015-3143 NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user. This is similar to the issue fixed in DSA-2849-1. CVE-2015-3148 When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/04/msg00024.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/curl" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-gnutls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"curl", reference:"7.21.0-2.1+squeeze12")) flag++; if (deb_check(release:"6.0", prefix:"libcurl3", reference:"7.21.0-2.1+squeeze12")) flag++; if (deb_check(release:"6.0", prefix:"libcurl3-dbg", reference:"7.21.0-2.1+squeeze12")) flag++; if (deb_check(release:"6.0", prefix:"libcurl3-gnutls", reference:"7.21.0-2.1+squeeze12")) flag++; if (deb_check(release:"6.0", prefix:"libcurl4-gnutls-dev", reference:"7.21.0-2.1+squeeze12")) flag++; if (deb_check(release:"6.0", prefix:"libcurl4-openssl-dev", reference:"7.21.0-2.1+squeeze12")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3232.NASL
description	Several vulnerabilities were discovered in cURL, an URL transfer library : - CVE-2015-3143 NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user. This is similar to the issue fixed in DSA-2849-1. - CVE-2015-3144 When parsing URLs with a zero-length hostname (such as
last seen	2020-06-01
modified	2020-06-02
plugin id	83003
published	2015-04-23
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/83003
title	Debian DSA-3232-1 : curl - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3232. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(83003); script_version("1.7"); script_cvs_date("Date: 2018/11/10 11:49:37"); script_cve_id("CVE-2015-3143", "CVE-2015-3144", "CVE-2015-3145", "CVE-2015-3148"); script_xref(name:"DSA", value:"3232"); script_name(english:"Debian DSA-3232-1 : curl - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in cURL, an URL transfer library : - CVE-2015-3143 NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user. This is similar to the issue fixed in DSA-2849-1. - CVE-2015-3144 When parsing URLs with a zero-length hostname (such as 'http://:80'), libcurl would try to read from an invalid memory address. This could allow remote attackers to cause a denial of service (crash). This issue only affects the upcoming stable (jessie) and unstable (sid) distributions. - CVE-2015-3145 When parsing HTTP cookies, if the parsed cookie's 'path' element consists of a single double-quote, libcurl would try to write to an invalid heap memory address. This could allow remote attackers to cause a denial of service (crash). This issue only affects the upcoming stable (jessie) and unstable (sid) distributions. - CVE-2015-3148 When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2015-3143" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2015-3144" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2015-3145" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2015-3148" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/curl" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2015/dsa-3232" ); script_set_attribute( attribute:"solution", value: "Upgrade the curl packages. For the stable distribution (wheezy), these problems have been fixed in version 7.26.0-1+wheezy13. For the upcoming stable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:curl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"curl", reference:"7.26.0-1+wheezy13")) flag++; if (deb_check(release:"7.0", prefix:"libcurl3", reference:"7.26.0-1+wheezy13")) flag++; if (deb_check(release:"7.0", prefix:"libcurl3-dbg", reference:"7.26.0-1+wheezy13")) flag++; if (deb_check(release:"7.0", prefix:"libcurl3-gnutls", reference:"7.26.0-1+wheezy13")) flag++; if (deb_check(release:"7.0", prefix:"libcurl3-nss", reference:"7.26.0-1+wheezy13")) flag++; if (deb_check(release:"7.0", prefix:"libcurl4-gnutls-dev", reference:"7.26.0-1+wheezy13")) flag++; if (deb_check(release:"7.0", prefix:"libcurl4-nss-dev", reference:"7.26.0-1+wheezy13")) flag++; if (deb_check(release:"7.0", prefix:"libcurl4-openssl-dev", reference:"7.26.0-1+wheezy13")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2015-336.NASL
description	curl was updated to fix four security issues. The following vulnerabilities were fixed : - CVE-2015-3143: curl could re-use NTML authenticateds connections - CVE-2015-3144: curl could access memory out of bounds with zero length host names - CVE-2015-3145: curl cookie parser could access memory out of boundary - CVE-2015-3148: curl could treat Negotiate as not connection-oriented
last seen	2020-06-05
modified	2015-04-30
plugin id	83159
published	2015-04-30
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83159
title	openSUSE Security Update : curl (openSUSE-2015-336)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-336. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(83159); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3143", "CVE-2015-3144", "CVE-2015-3145", "CVE-2015-3148"); script_name(english:"openSUSE Security Update : curl (openSUSE-2015-336)"); script_summary(english:"Check for the openSUSE-2015-336 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "curl was updated to fix four security issues. The following vulnerabilities were fixed : - CVE-2015-3143: curl could re-use NTML authenticateds connections - CVE-2015-3144: curl could access memory out of bounds with zero length host names - CVE-2015-3145: curl cookie parser could access memory out of boundary - CVE-2015-3148: curl could treat Negotiate as not connection-oriented" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=927556" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=927607" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=927608" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=927746" ); script_set_attribute(attribute:"solution", value:"Update the affected curl packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1\|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"curl-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"curl-debuginfo-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"curl-debugsource-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libcurl-devel-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libcurl4-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libcurl4-debuginfo-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libcurl4-32bit-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.42.0-2.38.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"curl-7.42.0-7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"curl-debuginfo-7.42.0-7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"curl-debugsource-7.42.0-7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libcurl-devel-7.42.0-7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libcurl4-7.42.0-7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libcurl4-debuginfo-7.42.0-7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libcurl4-32bit-7.42.0-7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.42.0-7.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-debuginfo / curl-debugsource / libcurl-devel / etc"); }

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-2591-1.NASL
description	Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. (CVE-2015-3143) Hanno Bock discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144) Hanno Bock discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3145) Isaac Boukris discovered that when using Negotiate authenticated connections, curl could incorrectly authenticate the entire connection and not just specific HTTP requests. (CVE-2015-3148) Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers both to servers and proxies by default, contrary to expectations. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	83182
published	2015-05-01
reporter	Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/83182
title	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : curl vulnerabilities (USN-2591-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2591-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(83182); script_version("2.10"); script_cvs_date("Date: 2019/09/18 12:31:44"); script_cve_id("CVE-2015-3143", "CVE-2015-3144", "CVE-2015-3145", "CVE-2015-3148", "CVE-2015-3153"); script_xref(name:"USN", value:"2591-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : curl vulnerabilities (USN-2591-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. (CVE-2015-3143) Hanno Bock discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144) Hanno Bock discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3145) Isaac Boukris discovered that when using Negotiate authenticated connections, curl could incorrectly authenticate the entire connection and not just specific HTTP requests. (CVE-2015-3148) Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers both to servers and proxies by default, contrary to expectations. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2591-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libcurl3, libcurl3-gnutls and / or libcurl3-nss packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-gnutls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-nss"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04\|14\.04\|14\.10\|15\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 14.10 / 15.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"libcurl3", pkgver:"7.22.0-3ubuntu4.14")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"libcurl3-gnutls", pkgver:"7.22.0-3ubuntu4.14")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"libcurl3-nss", pkgver:"7.22.0-3ubuntu4.14")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libcurl3", pkgver:"7.35.0-1ubuntu2.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libcurl3-gnutls", pkgver:"7.35.0-1ubuntu2.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libcurl3-nss", pkgver:"7.35.0-1ubuntu2.5")) flag++; if (ubuntu_check(osver:"14.10", pkgname:"libcurl3", pkgver:"7.37.1-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"14.10", pkgname:"libcurl3-gnutls", pkgver:"7.37.1-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"14.10", pkgname:"libcurl3-nss", pkgver:"7.37.1-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"libcurl3", pkgver:"7.38.0-3ubuntu2.2")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"libcurl3-gnutls", pkgver:"7.38.0-3ubuntu2.2")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"libcurl3-nss", pkgver:"7.38.0-3ubuntu2.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libcurl3 / libcurl3-gnutls / libcurl3-nss"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2015-1254.NASL
description	Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-06-01
modified	2020-06-02
plugin id	84912
published	2015-07-22
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/84912
title	RHEL 6 : curl (RHSA-2015:1254)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:1254. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(84912); script_version("2.11"); script_cvs_date("Date: 2019/10/24 15:35:40"); script_cve_id("CVE-2014-3613", "CVE-2014-3707", "CVE-2014-8150", "CVE-2015-3143", "CVE-2015-3148"); script_bugtraq_id(69748, 70988, 71964, 74299, 74301); script_xref(name:"RHSA", value:"2015:1254"); script_name(english:"RHEL 6 : curl (RHSA-2015:1254)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL version 3.0 (SSLv3.0) was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSLv3.0 through the libcurl API. (BZ#1154059) * A single upload transfer through the FILE protocol opened the destination file twice. If the inotify kernel subsystem monitored the file, two events were produced unnecessarily. The file is now opened only once per upload. (BZ#883002) * Utilities using libcurl for SCP/SFTP transfers could terminate unexpectedly when the system was running in FIPS mode. (BZ#1008178) * Using the '--retry' option with the curl utility could cause curl to terminate unexpectedly with a segmentation fault. Now, adding '--retry' no longer causes curl to crash. (BZ#1009455) * The 'curl --trace-time' command did not use the correct local time when printing timestamps. Now, 'curl --trace-time' works as expected. (BZ#1120196) * The valgrind utility could report dynamically allocated memory leaks on curl exit. Now, curl performs a global shutdown of the NetScape Portable Runtime (NSPR) library on exit, and valgrind no longer reports the memory leaks. (BZ#1146528) * Previously, libcurl returned an incorrect value of the CURLINFO_HEADER_SIZE field when a proxy server appended its own headers to the HTTP response. Now, the returned value is valid. (BZ#1161163) Enhancements : * The '--tlsv1.0', '--tlsv1.1', and '--tlsv1.2' options are available for specifying the minor version of the TLS protocol to be negotiated by NSS. The '--tlsv1' option now negotiates the highest version of the TLS protocol supported by both the client and the server. (BZ#1012136) * It is now possible to explicitly enable or disable the ECC and the new AES cipher suites to be used for TLS. (BZ#1058767, BZ#1156422) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2015:1254" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-3143" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-3707" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-3613" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-8150" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-3148" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libcurl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libcurl-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2015:1254"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"curl-7.19.7-46.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"curl-7.19.7-46.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"curl-7.19.7-46.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"curl-debuginfo-7.19.7-46.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"libcurl-7.19.7-46.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"libcurl-devel-7.19.7-46.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-debuginfo / libcurl / libcurl-devel"); } }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-6695.NASL
description	- require credentials to match for NTLM re-use (CVE-2015-3143) - fix invalid write with a zero-length host name in URL (CVE-2015-3144) - fix invalid write in cookie path sanitization code (CVE-2015-3145) - close Negotiate connections when done (CVE-2015-3148) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-04-27
plugin id	83078
published	2015-04-27
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83078
title	Fedora 22 : curl-7.40.0-3.fc22 (2015-6695)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2015-1254.NASL
description	From Red Hat Security Advisory 2015:1254 : Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-06-01
modified	2020-06-02
plugin id	85096
published	2015-07-30
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85096
title	Oracle Linux 6 : curl (ELSA-2015-1254)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-6853.NASL
description	Update to 7.42.0 which fixes various CVE
last seen	2020-06-05
modified	2015-05-05
plugin id	83237
published	2015-05-05
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83237
title	Fedora 21 : mingw-curl-7.42.0-1.fc21 (2015-6853)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_6294F75F03F211E5AAB1D050996490D0.NASL
description	cURL reports : libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient, and completely transparent connection re-use for applications. When doing HTTP requests NTLM authenticated, the entire connection becomes authenticated and not just the specific HTTP request which is otherwise how HTTP works. This makes NTLM special and a subject for special treatment in the code. With NTLM, once the connection is authenticated, no further authentication is necessary until the connection gets closed. When doing HTTP requests Negotiate authenticated, the entire connection may become authenticated and not just the specific HTTP request which is otherwise how HTTP works, as Negotiate can basically use NTLM under the hood. curl was not adhering to this fact but would assume that such requests would also be authenticated per request. libcurl supports HTTP
last seen	2020-06-01
modified	2020-06-02
plugin id	83842
published	2015-05-27
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/83842
title	FreeBSD : cURL -- multiple vulnerabilities (6294f75f-03f2-11e5-aab1-d050996490d0)

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2015-302-01.NASL
description	New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	86662
published	2015-10-30
reporter	This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/86662
title	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : curl (SSA:2015-302-01)

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_10_10_5.NASL
description	The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
last seen	2020-06-01
modified	2020-06-02
plugin id	85408
published	2015-08-17
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/85408
title	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2015-219.NASL
description	Updated curl packages fix security vulnerabilities : NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user (CVE-2015-3143). When parsing HTTP cookies, if the parsed cookie
last seen	2020-06-01
modified	2020-06-02
plugin id	83243
published	2015-05-05
reporter	This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83243
title	Mandriva Linux Security Advisory : curl (MDVSA-2015:219)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2015-1254.NASL
description	Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-06-01
modified	2020-06-02
plugin id	85009
published	2015-07-28
reporter	This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85009
title	CentOS 6 : curl (CESA-2015:1254)

NASL family	Web Servers
NASL id	HPSMH_7_2_6.NASL
description	According to the web server
last seen	2020-06-01
modified	2020-06-02
plugin id	90251
published	2016-03-29
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90251
title	HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2015-0990-1.NASL
description	curl was updated to fix five security issues. The following vulnerabilities were fixed : - CVE-2015-3143: curl could re-use NTML authenticateds connections - CVE-2015-3144: curl could access memory out of bounds with zero length host names - CVE-2015-3145: curl cookie parser could access memory out of boundary - CVE-2015-3148: curl could treat Negotiate as not connection-oriented - CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	83988
published	2015-06-04
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/83988
title	SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2015:0990-1)

NASL family	Web Servers
NASL id	HPSMH_7_5_4.NASL
description	According to the web server
last seen	2020-06-01
modified	2020-06-02
plugin id	90150
published	2016-03-24
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90150
title	HP System Management Homepage < 7.5.4 Multiple Vulnerabilities (Logjam)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20150722_CURL_ON_SL6_X.NASL
description	It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-03-18
modified	2015-08-04
plugin id	85191
published	2015-08-04
reporter	This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85191
title	Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20150722)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-6864.NASL
description	Update to 7.42.0 which fixes various CVE
last seen	2020-06-05
modified	2015-05-04
plugin id	83212
published	2015-05-04
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83212
title	Fedora 22 : mingw-curl-7.42.0-1.fc22 (2015-6864)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201509-02.NASL
description	The remote host is affected by the vulnerability described in GLSA-201509-02 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly obtain sensitive information, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	86133
published	2015-09-25
reporter	This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/86133
title	GLSA-201509-02 : cURL: Multiple vulnerabilities

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20151119_CURL_ON_SL7_X.NASL
description	It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-03-18
modified	2015-12-22
plugin id	87554
published	2015-12-22
reporter	This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87554
title	Scientific Linux Security Update : curl on SL7.x x86_64 (20151119)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-6728.NASL
description	- require credentials to match for NTLM re-use (CVE-2015-3143) - fix invalid write with a zero-length host name in URL (CVE-2015-3144) - fix invalid write in cookie path sanitization code (CVE-2015-3145) - close Negotiate connections when done (CVE-2015-3148) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-05-04
plugin id	83208
published	2015-05-04
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83208
title	Fedora 21 : curl-7.37.0-14.fc21 (2015-6728)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2015-2159.NASL
description	Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-06-01
modified	2020-06-02
plugin id	87138
published	2015-12-02
reporter	This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87138
title	CentOS 7 : curl (CESA-2015:2159)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-6712.NASL
description	- require credentials to match for NTLM re-use (CVE-2015-3143) - fix invalid write in cookie path sanitization code (CVE-2015-3145) - close Negotiate connections when done (CVE-2015-3148) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-04-29
plugin id	83128
published	2015-04-29
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83128
title	Fedora 20 : curl-7.32.0-20.fc20 (2015-6712)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2015-220.NASL
description	Updated curl packages fix security vulnerabilities : NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user (CVE-2015-3143). When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user (CVE-2015-3148).
last seen	2020-06-01
modified	2020-06-02
plugin id	83244
published	2015-05-05
reporter	This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83244
title	Mandriva Linux Security Advisory : curl (MDVSA-2015:220)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2015-514.NASL
description	It was discovered that libcurl could incorrectly reuse NTLM-authenticated connections for subsequent unauthenticated requests to the same host. If an application using libcurl established an NTLM-authenticated connection to a server, and sent subsequent unauthenticed requests to the same server, the unauthenticated requests could be sent over the NTLM-authenticated connection, appearing as if they were sent by the NTLM authenticated user. (CVE-2015-3143) It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones. (CVE-2015-3148) It was discovered that libcurl did not properly process cookies with a specially crafted
last seen	2020-06-01
modified	2020-06-02
plugin id	83057
published	2015-04-27
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/83057
title	Amazon Linux AMI : curl (ALAS-2015-514)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1550.NASL
description	According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content..(CVE-2018-1000301) - It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.(CVE-2016-5420) - It was discovered that libcurl could incorrectly reuse NTLM-authenticated connections for subsequent unauthenticated requests to the same host. If an application using libcurl established an NTLM-authenticated connection to a server, and sent subsequent unauthenticated requests to the same server, the unauthenticated requests could be sent over the NTLM-authenticated connection, appearing as if they were sent by the NTLM authenticated user.(CVE-2015-3143) - libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit 415d2e7cb7(https://github.com/curl/curl/commit/415d2e7c b7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254) - It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones.(CVE-2015-3148) - Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a
last seen	2020-06-01
modified	2020-06-02
plugin id	125003
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125003
title	EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1550)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2015-2159.NASL
description	From Red Hat Security Advisory 2015:2159 : Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user
last seen	2020-06-01
modified	2020-06-02
plugin id	87028
published	2015-11-24
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87028
title	Oracle Linux 7 : curl (ELSA-2015-2159)

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL16704.NASL
description	cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. (CVE-2015-3143)
last seen	2020-06-01
modified	2020-06-02
plugin id	99203
published	2017-04-06
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99203
title	F5 Networks BIG-IP : cURL and libcurl vulnerability (K16704)

Redhat

advisories

rhsa

id	RHSA-2015:1254

rpms

curl-0:7.19.7-46.el6
curl-debuginfo-0:7.19.7-46.el6
libcurl-0:7.19.7-46.el6
libcurl-devel-0:7.19.7-46.el6
curl-0:7.29.0-25.el7
curl-debuginfo-0:7.29.0-25.el7
libcurl-0:7.29.0-25.el7
libcurl-devel-0:7.29.0-25.el7

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References