Vulnerabilities > CVE-2015-3153 - Information Exposure vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0962-1.NASL description The curl tool and libcurl4 library have been updated to fix several security and non-security issues. The following vulnerabilities have been fixed : CVE-2015-3143: Re-using authenticated connection when unauthenticated. (bsc#927556) CVE-2015-3148: Negotiate not treated as connection-oriented. (bsc#927746) CVE-2015-3153: Sensitive HTTP server headers also sent to proxies. (bsc#928533) The following non-security issue has been fixed : git fails to clone from https repository. (bsc#927174) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83903 published 2015-05-29 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83903 title SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2015:0962-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2015:0962-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(83903); script_version("2.10"); script_cvs_date("Date: 2019/09/11 11:22:12"); script_cve_id("CVE-2015-3143", "CVE-2015-3148", "CVE-2015-3153"); script_bugtraq_id(74299, 74301, 74408); script_name(english:"SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2015:0962-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The curl tool and libcurl4 library have been updated to fix several security and non-security issues. The following vulnerabilities have been fixed : CVE-2015-3143: Re-using authenticated connection when unauthenticated. (bsc#927556) CVE-2015-3148: Negotiate not treated as connection-oriented. (bsc#927746) CVE-2015-3153: Sensitive HTTP server headers also sent to proxies. (bsc#928533) The following non-security issue has been fixed : git fails to clone from https repository. (bsc#927174) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=927174" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=927556" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=927746" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=928533" ); # https://download.suse.com/patch/finder/?keywords=15283cac05d947363283c7ddcb466af0 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?386b8563" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3143/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3148/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3153/" ); # https://www.suse.com/support/update/announcement/2015/suse-su-20150962-1.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0afcc3ad" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11 SP3 : zypper in -t patch sdksp3-curl=10660 SUSE Linux Enterprise Server 11 SP3 for VMware : zypper in -t patch slessp3-curl=10660 SUSE Linux Enterprise Server 11 SP3 : zypper in -t patch slessp3-curl=10660 SUSE Linux Enterprise Desktop 11 SP3 : zypper in -t patch sledsp3-curl=10660 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libcurl4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED11|SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED11 / SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp); if (os_ver == "SLED11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED11 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"libcurl4-32bit-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"libcurl4-32bit-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"curl-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"libcurl4-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"x86_64", reference:"curl-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"x86_64", reference:"libcurl4-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"x86_64", reference:"libcurl4-32bit-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"i586", reference:"curl-7.19.7-1.42.1")) flag++; if (rpm_check(release:"SLED11", sp:"3", cpu:"i586", reference:"libcurl4-7.19.7-1.42.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2591-1.NASL description Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. (CVE-2015-3143) Hanno Bock discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144) Hanno Bock discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3145) Isaac Boukris discovered that when using Negotiate authenticated connections, curl could incorrectly authenticate the entire connection and not just specific HTTP requests. (CVE-2015-3148) Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers both to servers and proxies by default, contrary to expectations. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83182 published 2015-05-01 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83182 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : curl vulnerabilities (USN-2591-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2591-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(83182); script_version("2.10"); script_cvs_date("Date: 2019/09/18 12:31:44"); script_cve_id("CVE-2015-3143", "CVE-2015-3144", "CVE-2015-3145", "CVE-2015-3148", "CVE-2015-3153"); script_xref(name:"USN", value:"2591-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : curl vulnerabilities (USN-2591-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. (CVE-2015-3143) Hanno Bock discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144) Hanno Bock discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3145) Isaac Boukris discovered that when using Negotiate authenticated connections, curl could incorrectly authenticate the entire connection and not just specific HTTP requests. (CVE-2015-3148) Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers both to servers and proxies by default, contrary to expectations. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2591-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libcurl3, libcurl3-gnutls and / or libcurl3-nss packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-gnutls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-nss"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04|14\.10|15\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 14.10 / 15.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"libcurl3", pkgver:"7.22.0-3ubuntu4.14")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"libcurl3-gnutls", pkgver:"7.22.0-3ubuntu4.14")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"libcurl3-nss", pkgver:"7.22.0-3ubuntu4.14")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libcurl3", pkgver:"7.35.0-1ubuntu2.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libcurl3-gnutls", pkgver:"7.35.0-1ubuntu2.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libcurl3-nss", pkgver:"7.35.0-1ubuntu2.5")) flag++; if (ubuntu_check(osver:"14.10", pkgname:"libcurl3", pkgver:"7.37.1-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"14.10", pkgname:"libcurl3-gnutls", pkgver:"7.37.1-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"14.10", pkgname:"libcurl3-nss", pkgver:"7.37.1-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"libcurl3", pkgver:"7.38.0-3ubuntu2.2")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"libcurl3-gnutls", pkgver:"7.38.0-3ubuntu2.2")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"libcurl3-nss", pkgver:"7.38.0-3ubuntu2.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libcurl3 / libcurl3-gnutls / libcurl3-nss"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-356.NASL description curl was updated to 7.42.1 to fix one security issue. The following vulnerability was fixed : - CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies (bnc#928533) last seen 2020-06-05 modified 2015-05-13 plugin id 83395 published 2015-05-13 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83395 title openSUSE Security Update : curl (openSUSE-2015-356) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-356. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(83395); script_version("2.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3153"); script_name(english:"openSUSE Security Update : curl (openSUSE-2015-356)"); script_summary(english:"Check for the openSUSE-2015-356 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "curl was updated to 7.42.1 to fix one security issue. The following vulnerability was fixed : - CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies (bnc#928533)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=928533" ); script_set_attribute(attribute:"solution", value:"Update the affected curl packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl-devel-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"curl-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"curl-debuginfo-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"curl-debugsource-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libcurl-devel-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libcurl4-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libcurl4-debuginfo-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libcurl-devel-32bit-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libcurl4-32bit-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.42.1-2.42.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"curl-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"curl-debuginfo-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"curl-debugsource-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libcurl-devel-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libcurl4-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libcurl4-debuginfo-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libcurl-devel-32bit-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libcurl4-32bit-7.42.1-11.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.42.1-11.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-debuginfo / curl-debugsource / libcurl-devel-32bit / etc"); }NASL family MacOS X Local Security Checks NASL id MACOSX_10_10_5.NASL description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 85408 published 2015-08-17 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85408 title Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2410.NASL description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.(CVE-2015-3153) - curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.(CVE-2016-8625) - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.(CVE-2019-5482) - Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.(CVE-2018-16842) - The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.(CVE-2016-0755) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-10 plugin id 131902 published 2019-12-10 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131902 title EulerOS 2.0 SP2 : curl (EulerOS-SA-2019-2410) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0990-1.NASL description curl was updated to fix five security issues. The following vulnerabilities were fixed : - CVE-2015-3143: curl could re-use NTML authenticateds connections - CVE-2015-3144: curl could access memory out of bounds with zero length host names - CVE-2015-3145: curl cookie parser could access memory out of boundary - CVE-2015-3148: curl could treat Negotiate as not connection-oriented - CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83988 published 2015-06-04 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83988 title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2015:0990-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3240.NASL description It was discovered that cURL, an URL transfer library, if configured to use a proxy server with the HTTPS protocol, by default could send to the proxy the same HTTP headers it sends to the destination server, possibly leaking sensitive information. last seen 2020-06-01 modified 2020-06-02 plugin id 83146 published 2015-04-30 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83146 title Debian DSA-3240-1 : curl - security update NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_27F742F603F411E5AAB1D050996490D0.NASL description cURL reports : libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the last seen 2020-06-01 modified 2020-06-02 plugin id 83841 published 2015-05-27 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83841 title FreeBSD : cURL -- sensitive HTTP server headers also sent to proxies (27f742f6-03f4-11e5-aab1-d050996490d0) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2566.NASL description According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.(CVE-2015-3153) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-19 plugin id 132283 published 2019-12-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132283 title EulerOS 2.0 SP3 : curl (EulerOS-SA-2019-2566)
References
- http://curl.haxx.se/docs/adv_20150429.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2015-05/msg00017.html
- http://www.debian.org/security/2015/dsa-3240
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.securityfocus.com/bid/74408
- http://www.securitytracker.com/id/1032233
- http://www.ubuntu.com/usn/USN-2591-1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10131
- https://support.apple.com/kb/HT205031