Vulnerabilities > CVE-2017-13090 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
gnu
debian
CWE-119
critical
nessus

Summary

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D77CEB8CBB1311E783573065EC6F3643.NASL
    descriptionAntti Levomaki, Christian Jalio, Joonas Pihlaja : Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of the user.
    last seen2020-06-01
    modified2020-06-02
    plugin id104228
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104228
    titleFreeBSD : wget -- Heap overflow in HTTP protocol handling (d77ceb8c-bb13-11e7-8357-3065ec6f3643)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104228);
      script_version("3.4");
      script_cvs_date("Date: 2018/11/10 11:49:46");
    
      script_cve_id("CVE-2017-13090");
    
      script_name(english:"FreeBSD : wget -- Heap overflow in HTTP protocol handling (d77ceb8c-bb13-11e7-8357-3065ec6f3643)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Antti Levomaki, Christian Jalio, Joonas Pihlaja :
    
    Wget contains two vulnerabilities, a stack overflow and a heap
    overflow, in the handling of HTTP chunked encoding. By convincing a
    user to download a specific link over HTTP, an attacker may be able to
    execute arbitrary code with the privileges of the user."
      );
      # http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0e545a1f"
      );
      # https://vuxml.freebsd.org/freebsd/d77ceb8c-bb13-11e7-8357-3065ec6f3643.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?db112f17"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wget");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"wget<1.19.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1270.NASL
    descriptionAccording to the versions of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-11-01
    plugin id104295
    published2017-11-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104295
    titleEulerOS 2.0 SP2 : wget (EulerOS-SA-2017-1270)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104295);
      script_version("3.12");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-13089",
        "CVE-2017-13090"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : wget (EulerOS-SA-2017-1270)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the wget package installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - A stack-based and a heap-based buffer overflow flaws
        were found in wget when processing chunked encoded HTTP
        responses. By tricking an unsuspecting user into
        connecting to a malicious HTTP server, an attacker
        could exploit these flaws to potentially execute
        arbitrary code. (CVE-2017-13089, CVE-2017-13090)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1270
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1ec10d8");
      script_set_attribute(attribute:"solution", value:
    "Update the affected wget packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:wget");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["wget-1.14-15.1.h1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wget");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-F0B3231763.NASL
    descriptionnew upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-11-08
    plugin id104452
    published2017-11-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104452
    titleFedora 26 : wget (2017-f0b3231763)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-f0b3231763.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104452);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-13089", "CVE-2017-13090");
      script_xref(name:"FEDORA", value:"2017-f0b3231763");
    
      script_name(english:"Fedora 26 : wget (2017-f0b3231763)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "new upstream release with CVE fixes
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f0b3231763"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected wget package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wget");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"wget-1.19.2-1.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wget");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-DE8A421DCD.NASL
    descriptionnew upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-11-16
    plugin id104609
    published2017-11-16
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104609
    titleFedora 25 : wget (2017-de8a421dcd)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-de8a421dcd.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104609);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-13089", "CVE-2017-13090");
      script_xref(name:"FEDORA", value:"2017-de8a421dcd");
    
      script_name(english:"Fedora 25 : wget (2017-de8a421dcd)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "new upstream release with CVE fixes
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-de8a421dcd"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected wget package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wget");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"wget-1.19.2-1.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wget");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1210.NASL
    descriptionThis update for wget fixes the following security issues : - CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could cause stack-based buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2017-10-30
    plugin id104240
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104240
    titleopenSUSE Security Update : wget (openSUSE-2017-1210)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0046.NASL
    descriptionAn update of [wget] packages for PhotonOS has been released.
    last seen2019-02-08
    modified2019-02-07
    plugin id111895
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111895
    titlePhoton OS 2.0: Wget PHSA-2017-0046 (deprecated)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4008.NASL
    descriptionAntti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code when connecting to a malicious HTTP server.
    last seen2020-06-01
    modified2020-06-02
    plugin id104223
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104223
    titleDebian DSA-4008-1 : wget - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2871-2.NASL
    descriptionThis update for wget fixes the following security issues : - CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could cause stack-based buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104650
    published2017-11-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104650
    titleSUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2017:2871-2)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0046_WGET.NASL
    descriptionAn update of the wget package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121765
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121765
    titlePhoton OS 2.0: Wget PHSA-2017-0046
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3075.NASL
    descriptionFrom Red Hat Security Advisory 2017:3075 : An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104200
    published2017-10-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104200
    titleOracle Linux 7 : wget (ELSA-2017-3075)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1149.NASL
    descriptionCVE-2017-13089 Fix stack overflow in HTTP protocol handling. CVE-2017-13090 Fix heap overflow in HTTP protocol handling. For Debian 7
    last seen2020-03-17
    modified2017-10-30
    plugin id104221
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104221
    titleDebian DLA-1149-1 : wget security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1269.NASL
    descriptionAccording to the versions of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-11-01
    plugin id104294
    published2017-11-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104294
    titleEulerOS 2.0 SP1 : wget (EulerOS-SA-2017-1269)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201711-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201711-06 (GNU Wget: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wget. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing a user to connect to a malicious server, could remotely execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id104514
    published2017-11-13
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104514
    titleGLSA-201711-06 : GNU Wget: Multiple vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1413.NASL
    descriptionAccording to the versions of the wget package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains.(CVE-2018-0494) - A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13089) - A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124916
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124916
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : wget (EulerOS-SA-2019-1413)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1417.NASL
    descriptionAccording to the versions of the wget package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13089) - A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the
    last seen2020-06-01
    modified2020-06-02
    plugin id124920
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124920
    titleEulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-300-02.NASL
    descriptionNew wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104216
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104216
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : wget (SSA:2017-300-02)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-3075.NASL
    descriptionAn update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104218
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104218
    titleCentOS 7 : wget (CESA-2017:3075)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-3075.NASL
    descriptionAn update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119236
    published2018-11-27
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119236
    titleVirtuozzo 7 : wget (VZLSA-2017-3075)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-916.NASL
    descriptionHeap-based buffer overflow in HTTP protocol handling A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13090) Stack-based buffer overflow in HTTP protocol handling A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13089)
    last seen2020-06-01
    modified2020-06-02
    plugin id104182
    published2017-10-27
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104182
    titleAmazon Linux AMI : wget (ALAS-2017-916)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3075.NASL
    descriptionAn update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104205
    published2017-10-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104205
    titleRHEL 7 : wget (RHSA-2017:3075)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3464-1.NASL
    descriptionAntti Levomaki, Christian Jalio, and Joonas Pihlaja discovered that Wget incorrectly handled certain HTTP responses. A remote attacker could use this issue to cause Wget to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Dawid Golunski discovered that Wget incorrectly handled recursive or mirroring mode. A remote attacker could possibly use this issue to bypass intended access list restrictions. (CVE-2016-7098) Orange Tsai discovered that Wget incorrectly handled CRLF sequences in HTTP headers. A remote attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2017-6508). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104211
    published2017-10-27
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104211
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : wget vulnerabilities (USN-3464-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171026_WGET_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090)
    last seen2020-03-18
    modified2017-10-27
    plugin id104207
    published2017-10-27
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104207
    titleScientific Linux Security Update : wget on SL7.x x86_64 (20171026)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0047.NASL
    descriptionAn update of [wget] packages for PhotonOS has been released.
    last seen2019-02-08
    modified2019-02-07
    plugin id111896
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111896
    titlePhoton OS 1.0: Wget PHSA-2017-0047 (deprecated)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-10FBCE01EC.NASL
    descriptionnew upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105816
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105816
    titleFedora 27 : wget (2017-10fbce01ec)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0047_WGET.NASL
    descriptionAn update of the wget package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121766
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121766
    titlePhoton OS 1.0: Wget PHSA-2017-0047

Redhat

advisories
bugzilla
id1505445
titleCVE-2017-13090 wget: Heap-based buffer overflow in HTTP protocol handling
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • commentwget is earlier than 0:1.14-15.el7_4.1
      ovaloval:com.redhat.rhsa:tst:20173075001
    • commentwget is signed with Red Hat redhatrelease2 key
      ovaloval:com.redhat.rhsa:tst:20140151002
rhsa
idRHSA-2017:3075
released2017-10-26
severityImportant
titleRHSA-2017:3075: wget security update (Important)
rpms
  • wget-0:1.14-15.el7_4.1
  • wget-debuginfo-0:1.14-15.el7_4.1