Vulnerabilities > CVE-2017-2629 - Improper Certificate Validation vulnerability in Haxx Curl

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
haxx
CWE-295
nessus

Summary

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).

Vulnerable Configurations

Part Description Count
Application
Haxx
135

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_311E4B1CF8EE11E69940B499BAEBFEAF.NASL
    descriptionThe cURL project reports : SSL_VERIFYSTATUS ignored curl and libcurl support
    last seen2020-06-01
    modified2020-06-02
    plugin id97342
    published2017-02-23
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97342
    titleFreeBSD : cURL -- ocsp status validation error (311e4b1c-f8ee-11e6-9940-b499baebfeaf)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97342);
      script_version("3.4");
      script_cvs_date("Date: 2018/12/19 13:21:18");
    
      script_cve_id("CVE-2017-2629");
    
      script_name(english:"FreeBSD : cURL -- ocsp status validation error (311e4b1c-f8ee-11e6-9940-b499baebfeaf)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The cURL project reports :
    
    SSL_VERIFYSTATUS ignored curl and libcurl support 'OCSP stapling',
    also known as the TLS Certificate Status Request extension (using the
    CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this
    feature, it uses that TLS extension to ask for a fresh proof of the
    server's certificate's validity. If the server doesn't support the
    extension, or fails to provide said proof, curl is expected to return
    an error. Due to a coding mistake, the code that checks for a test
    success or failure, ends up always thinking there's valid proof, even
    when there is none or if the server doesn't support the TLS extension
    in question. Contrary to how it used to function and contrary to how
    this feature is documented to work. This could lead to users not
    detecting when a server's certificate goes invalid or otherwise be
    mislead that the server is in a better shape than it is in reality."
      );
      # https://curl.haxx.se/docs/adv_20170222.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://curl.haxx.se/docs/CVE-2017-2629.html"
      );
      # https://vuxml.freebsd.org/freebsd/311e4b1c-f8ee-11e6-9940-b499baebfeaf.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a62ac020"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:curl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"curl>=7.52.0<7.53.0")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201703-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201703-04 (cURL: Certificate validation error) cURL and applications linked against libcurl support &ldquo;OCSP stapling&rdquo;, also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling cURL to use this feature, it uses that TLS extension to ask for a fresh proof of the server&rsquo;s certificate&rsquo;s validity. If the server doesn&rsquo;t support the extension, or fails to provide said proof, cURL is expected to return an error. Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there&rsquo;s valid proof, even when there is none or if the server doesn&rsquo;t support the TLS extension in question. Impact : Due to the error, a user maybe does not detect when a server&rsquo;s certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id99011
    published2017-03-28
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99011
    titleGLSA-201703-04 : cURL: Certificate validation error
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201703-04.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99011);
      script_version("3.2");
      script_cvs_date("Date: 2018/09/25  9:33:51");
    
      script_cve_id("CVE-2017-2629");
      script_xref(name:"GLSA", value:"201703-04");
    
      script_name(english:"GLSA-201703-04 : cURL: Certificate validation error");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201703-04
    (cURL: Certificate validation error)
    
        cURL and applications linked against libcurl support &ldquo;OCSP
          stapling&rdquo;, also known as the TLS Certificate Status Request extension
          (using the CURLOPT_SSL_VERIFYSTATUS option). When telling cURL to use
          this feature, it uses that TLS extension to ask for a fresh proof of the
          server&rsquo;s certificate&rsquo;s validity. If the server doesn&rsquo;t support the
          extension, or fails to provide said proof, cURL is expected to return an
          error.
          Due to a coding mistake, the code that checks for a test success or
          failure, ends up always thinking there&rsquo;s valid proof, even when there
          is none or if the server doesn&rsquo;t support the TLS extension in question.
      
    Impact :
    
        Due to the error, a user maybe does not detect when a server&rsquo;s
          certificate goes invalid or otherwise be mislead that the server is in a
          better shape than it is in reality.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201703-04"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All cURL users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-misc/curl-7.53.0'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:curl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/curl", unaffected:make_list("ge 7.53.0"), vulnerable:make_list("lt 7.53.0"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cURL");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2017-003.NASL
    descriptionThe remote host is running Mac OS X 10.10.5, Mac OS X 10.11.6, or macOS 10.12.5 and is missing a security update. It is therefore, affected by multiple vulnerabilities : - An overflow condition exists in the curl component in the dprintf_formatf() function that is triggered when handling floating point conversion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9586) - A flaw exits in the curl component in the randit() function within file lib/rand.c due to improper initialization of the 32-bit random value, which is used, for example, to generate Digest and NTLM authentication nonces, resulting in weaker cryptographic operations than expected. (CVE-2016-9594) - A flaw exists in the curl component in the allocate_conn() function in lib/url.c when using the OCSP stapling feature for checking a X.509 certificate revocation status. The issue is triggered as the request option for OCSP stapling is not properly passed to the TLS library, resulting in no error being returned even when no proof of the validity of the certificate could be provided. A man-in-the-middle attacker can exploit this to provide a revoked certificate. (CVE-2017-2629) - A remote code execution vulnerability exists in the CoreAudio component due to improper validation of user-supplied input when handling movie files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted movie file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7008) - A memory corruption issue exists in the IOUSBFamily component due to improper validation of user-supplied input. A local attacker can exploit this, via a specially crafted application, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7009) - Multiple out-of-bounds read errors exist in the libxml2 component due to improper handling of specially crafted XML documents. An unauthenticated, remote attacker can exploit these to disclose user information. (CVE-2017-7010, CVE-2017-7013) - Multiple memory corruption issues exist in the Intel Graphics Driver component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with elevated privileges. (CVE-2017-7014, CVE-2017-7017, CVE-2017-7035, CVE-2017-7044) - A remote code execution vulnerability exists in the Audio component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7015) - Multiple remote code execution vulnerabilities exist in the afclip component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit these vulnerabilities, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7016, CVE-2017-7033) - A memory corruption issue exists in the AppleGraphicsPowerManagement component due to improper validation of input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7021) - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7022, CVE-2017-7024, CVE-2017-7026) - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with kernel privileges. (CVE-2017-7023, CVE-2017-7025, CVE-2017-7027, CVE-2017-7069) - Multiple unspecified flaws exist in the kernel due to a failure to properly sanitize input. A local attacker can exploit these issues, via a specially crafted application, to disclose restricted memory contents. (CVE-2017-7028, CVE-2017-7029, CVE-2017-7067) - A flaw exists in the Foundation component due to improper validation of input. A unauthenticated, remote attacker can exploit this, by convincing a user to open specially crafted file, to execute arbitrary code. (CVE-2017-7031) - A memory corruption issue exists in the
    last seen2020-06-01
    modified2020-06-02
    plugin id101957
    published2017-07-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101957
    titlemacOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-003)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101957);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id(
        "CVE-2016-9586",
        "CVE-2016-9594",
        "CVE-2017-2629",
        "CVE-2017-7008",
        "CVE-2017-7009",
        "CVE-2017-7010",
        "CVE-2017-7013",
        "CVE-2017-7014",
        "CVE-2017-7015",
        "CVE-2017-7016",
        "CVE-2017-7017",
        "CVE-2017-7021",
        "CVE-2017-7022",
        "CVE-2017-7023",
        "CVE-2017-7024",
        "CVE-2017-7025",
        "CVE-2017-7026",
        "CVE-2017-7027",
        "CVE-2017-7028",
        "CVE-2017-7029",
        "CVE-2017-7031",
        "CVE-2017-7032",
        "CVE-2017-7033",
        "CVE-2017-7035",
        "CVE-2017-7036",
        "CVE-2017-7044",
        "CVE-2017-7045",
        "CVE-2017-7047",
        "CVE-2017-7050",
        "CVE-2017-7051",
        "CVE-2017-7054",
        "CVE-2017-7062",
        "CVE-2017-7067",
        "CVE-2017-7068",
        "CVE-2017-7069",
        "CVE-2017-7468",
        "CVE-2017-9417"
      );
      script_bugtraq_id(
        95019,
        95094,
        96382,
        97962,
        99482,
        99879,
        99880,
        99882,
        99883,
        99889
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2017-05-15-1");
    
      script_name(english:"macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-003)");
      script_summary(english:"Checks for the presence of Security Update 2017-003.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a macOS or Mac OS X security update that
    fixes multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running Mac OS X 10.10.5, Mac OS X 10.11.6, or
    macOS 10.12.5 and is missing a security update. It is therefore,
    affected by multiple vulnerabilities :
    
      - An overflow condition exists in the curl component in
        the dprintf_formatf() function that is triggered when
        handling floating point conversion. An unauthenticated,
        remote attacker can exploit this to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2016-9586)
    
      - A flaw exits in the curl component in the randit()
        function within file lib/rand.c due to improper
        initialization of the 32-bit random value, which is
        used, for example, to generate Digest and NTLM
        authentication nonces, resulting in weaker cryptographic
        operations than expected. (CVE-2016-9594)
    
      - A flaw exists in the curl component in the
        allocate_conn() function in lib/url.c when using the
        OCSP stapling feature for checking a X.509 certificate
        revocation status. The issue is triggered as the request
        option for OCSP stapling is not properly passed to the
        TLS library, resulting in no error being returned even
        when no proof of the validity of the certificate could
        be provided. A man-in-the-middle attacker can exploit
        this to provide a revoked certificate. (CVE-2017-2629)
    
      - A remote code execution vulnerability exists in the
        CoreAudio component due to improper validation of
        user-supplied input when handling movie files. An
        unauthenticated, remote attacker can exploit this, by
        convincing a user to play a specially crafted movie
        file, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2017-7008)
    
      - A memory corruption issue exists in the IOUSBFamily
        component due to improper validation of user-supplied
        input. A local attacker can exploit this, via a
        specially crafted application, to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2017-7009)
    
      - Multiple out-of-bounds read errors exist in the libxml2
        component due to improper handling of specially crafted
        XML documents. An unauthenticated, remote attacker can
        exploit these to disclose user information.
        (CVE-2017-7010, CVE-2017-7013)
    
      - Multiple memory corruption issues exist in the Intel
        Graphics Driver component due to improper validation of
        input. A local attacker can exploit these issues to
        execute arbitrary code with elevated privileges.
        (CVE-2017-7014, CVE-2017-7017, CVE-2017-7035,
        CVE-2017-7044)
    
      - A remote code execution vulnerability exists in the
        Audio component due to improper validation of
        user-supplied input when handling audio files. An
        unauthenticated, remote attacker can exploit this, by
        convincing a user to play a specially crafted audio
        file, to execute arbitrary code. (CVE-2017-7015)
    
      - Multiple remote code execution vulnerabilities exist in
        the afclip component due to improper validation of
        user-supplied input when handling audio files. An
        unauthenticated, remote attacker can exploit these
        vulnerabilities, by convincing a user to play a
        specially crafted audio file, to execute arbitrary
        code. (CVE-2017-7016, CVE-2017-7033)
    
      - A memory corruption issue exists in the
        AppleGraphicsPowerManagement component due to improper
        validation of input. A local attacker can exploit this
        to cause a denial of service condition or the execution
        of arbitrary code with system privileges.
        (CVE-2017-7021)
    
      - Multiple memory corruption issues exist in the kernel
        due to improper validation of input. A local attacker
        can exploit these issues to cause a denial of service
        condition or the execution of arbitrary code with system
        privileges. (CVE-2017-7022, CVE-2017-7024,
        CVE-2017-7026)
    
      - Multiple memory corruption issues exist in the kernel
        due to improper validation of input. A local attacker
        can exploit these issues to cause a denial of service
        condition or the execution of arbitrary code with kernel
        privileges. (CVE-2017-7023, CVE-2017-7025,
        CVE-2017-7027, CVE-2017-7069)
    
      - Multiple unspecified flaws exist in the kernel due to a
        failure to properly sanitize input. A local attacker can
        exploit these issues, via a specially crafted
        application, to disclose restricted memory contents.
        (CVE-2017-7028, CVE-2017-7029, CVE-2017-7067)
    
      - A flaw exists in the Foundation component due to
        improper validation of input. A unauthenticated, remote
        attacker can exploit this, by convincing a user to open
        specially crafted file, to execute arbitrary code.
        (CVE-2017-7031)
    
      - A memory corruption issue exists in the 'kext tools'
        component due to improper validation of input. A local
        attacker can exploit this to execute arbitrary code with
        elevated privileges. (CVE-2017-7032)
    
      - Multiple unspecified flaws exist in the Intel Graphics
        Driver component due to a failure to properly sanitize
        input. A local attacker can exploit these issues, via a
        specially crafted application, to disclose restricted
        memory contents. (CVE-2017-7036, CVE-2017-7045)
    
      - A memory corruption issue exists in the libxpc component
        due to improper validation of input. A local attacker
        can exploit this issue, via a specifically crafted
        application, to cause a denial of service condition or
        the execution of arbitrary code with system privileges.
        (CVE-2017-7047)
    
      - Multiple memory corruption issues exist in the
        Bluetooth component due to improper validation of input.
        A local attacker can exploit these issues to execute
        arbitrary code with system privileges. (CVE-2017-7050,
        CVE-2017-7051)
    
      - A memory corruption issue exists in the Bluetooth
        component due to improper validation of input. A local
        attacker can exploit these issues to execute arbitrary
        code with system privileges. (CVE-2017-7054)
    
      - A buffer overflow condition exists in the Contacts
        component due to improper validation of user-supplied
        input. An unauthenticated, remote attacker can exploit
        this to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2017-7062)
    
      - A buffer overflow condition exists in the libarchive
        component due to improper validation of user-supplied
        input. An unauthenticated, remote attacker can exploit
        this, via a specially crafted archive file, to cause a
        denial of service condition or the execution of
        arbitrary code. (CVE-2017-7068)
    
      - A certificate validation bypass vulnerability exists in
        the curl component due to the program attempting to
        resume TLS sessions even if the client certificate
        fails. An unauthenticated, remote attacker can exploit
        this to bypass validation mechanisms. (CVE-2017-7468)
    
      - A memory corruption issue exists in the Broadcom BCM43xx
        family Wi-Fi Chips component that allows an
        unauthenticated, remote attacker to execute arbitrary
        code. (CVE-2017-9417)");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT207922");
      script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2017/May/47");
      script_set_attribute(attribute:"solution", value:
    "Install Security Update 2017-003 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7069");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/25");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Compare 2 patch numbers to determine if patch requirements are satisfied.
    # Return true if this patch or a later patch is applied
    # Return false otherwise
    function check_patch(year, number)
    {
      local_var p_split = split(patch, sep:"-");
      local_var p_year  = int( p_split[0]);
      local_var p_num   = int( p_split[1]);
    
      if (year >  p_year) return TRUE;
      else if (year <  p_year) return FALSE;
      else if (number >=  p_num) return TRUE;
      else return FALSE;
    }
    
    get_kb_item_or_exit("Host/local_checks_enabled");
    os = get_kb_item_or_exit("Host/MacOSX/Version");
    
    if (!preg(pattern:"Mac OS X 10\.(10\.5|11\.6|12\.5)([^0-9]|$)", string:os))
      audit(AUDIT_OS_NOT, "Mac OS X 10.10.5 or Mac OS X 10.11.6 or Mac OS X 10.12.5");
    
    if ("10.10.5" >< os || "10.11.6" >< os || "10.12.5" >< os) patch = "2017-003";
    
    packages = get_kb_item_or_exit("Host/MacOSX/packages/boms", exit_code:1);
    sec_boms_report = pgrep(
      pattern:"^com\.apple\.pkg\.update\.(security\.|os\.SecUpd).*bom$",
      string:packages
    );
    sec_boms = split(sec_boms_report, sep:'\n');
    
    foreach package (sec_boms)
    {
      # Grab patch year and number
      match = eregmatch(pattern:"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]", string:package);
      if (empty_or_null(match[1]) || empty_or_null(match[2]))
        continue;
    
      patch_found = check_patch(year:int(match[1]), number:int(match[2]));
      if (patch_found) exit(0, "The host has Security Update " + patch + " or later installed and is therefore not affected.");
    }
    
    report =  '\n  Missing security update : ' + patch;
    report += '\n  Installed security BOMs : ';
    if (sec_boms_report) report += str_replace(find:'\n', replace:'\n                            ', string:sec_boms_report);
    else report += 'n/a';
    report += '\n';
    
    security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);