Vulnerabilities > CVE-2017-8817 - Out-of-bounds Read vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016_LINUX.NASL description An update of the linux package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121918 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121918 title Photon OS 2.0: Linux PHSA-2018-2.0-0016 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-2.0-0016. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(121918); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/03/08"); script_cve_id("CVE-2018-5344"); script_name(english:"Photon OS 2.0: Linux PHSA-2018-2.0-0016"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the linux package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-16.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-8817"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-api-headers-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-debuginfo-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-devel-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-docs-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-drivers-gpu-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-oprofile-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-sound-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-aws-tools-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-debuginfo-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-devel-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-docs-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-drivers-gpu-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-debuginfo-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-devel-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-docs-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-oprofile-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-debuginfo-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-devel-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-docs-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-lkcm-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-sound-4.9.80-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"linux-tools-4.9.80-1.ph2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux"); }
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-333-03.NASL description New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104860 published 2017-11-30 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104860 title Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2017-333-03) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2017-333-03. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(104860); script_version("$Revision: 3.3 $"); script_cvs_date("$Date: 2018/01/26 17:57:43 $"); script_cve_id("CVE-2017-8816", "CVE-2017-8817", "CVE-2017-8818"); script_xref(name:"SSA", value:"2017-333-03"); script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2017-333-03)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.440895 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b3684041" ); script_set_attribute(attribute:"solution", value:"Update the affected curl package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:curl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.0", pkgname:"curl", pkgver:"7.57.0", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"curl", pkgver:"7.57.0", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"curl", pkgver:"7.57.0", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"curl", pkgver:"7.57.0", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"curl", pkgver:"7.57.0", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"curl", pkgver:"7.57.0", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"curl", pkgver:"7.57.0", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"curl", pkgver:"7.57.0", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3498-1.NASL description Alex Nichols discovered that curl incorrectly handled NTLM authentication credentials. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 17.04 and Ubuntu 17.10. (CVE-2017-8816) It was discovered that curl incorrectly handled FTP wildcard matching. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2017-8817). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104881 published 2017-11-30 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104881 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : curl vulnerabilities (USN-3498-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_301A01B7D50E11E7AC58B499BAEBFEAF.NASL description The cURL project reports : - NTLM buffer overflow via integer overflow (CVE-2017-8816)libcurl contains a buffer overrun flaw in the NTLM authentication code. The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap. - FTP wildcard out of bounds read (CVE-2017-8817) libcurl contains a read out of bounds flaw in the FTP wildcard function. libcurl last seen 2020-06-01 modified 2020-06-02 plugin id 104863 published 2017-11-30 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104863 title FreeBSD : cURL -- Multiple vulnerabilities (301a01b7-d50e-11e7-ac58-b499baebfeaf) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016_BINUTILS.NASL description An update of the binutils package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 121915 published 2019-02-07 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121915 title Photon OS 2.0: Binutils PHSA-2018-2.0-0016 NASL family MacOS X Local Security Checks NASL id MACOS_10_13_3.NASL description The remote host is running a version of Mac OS X that is 10.13.x prior to 10.13.3. It is, therefore, affected by multiple vulnerabilities in the following components : - Audio - curl - IOHIDFamily - Kernel - LinkPresentation - QuartzCore - Sandbox - Security - WebKit - Wi-Fi Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 106296 published 2018-01-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106296 title macOS 10.13.x < 10.13.3 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4051.NASL description Two vulnerabilities were discovered in cURL, an URL transfer library. - CVE-2017-8816 Alex Nichols discovered a buffer overrun flaw in the NTLM authentication code which can be triggered on 32bit systems where an integer overflow might occur when calculating the size of a memory allocation. - CVE-2017-8817 Fuzzing by the OSS-Fuzz project led to the discovery of a read out of bounds flaw in the FTP wildcard function in libcurl. A malicious server could redirect a libcurl-based client to an URL using a wildcard pattern, triggering the out-of-bound read. last seen 2020-06-01 modified 2020-06-02 plugin id 104861 published 2017-11-30 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104861 title Debian DSA-4051-1 : curl - security update NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1162.NASL description libcurl is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.(CVE-2018-16890) The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.(CVE-2017-8816) curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.(CVE-2017-8818) libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254) Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.(CVE-2018-16842) libcurl is vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large last seen 2020-06-01 modified 2020-06-02 plugin id 122260 published 2019-02-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122260 title Amazon Linux 2 : curl (ALAS-2019-1162) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0108_CURL.NASL description An update of the curl package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121808 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121808 title Photon OS 1.0: Curl PHSA-2018-1.0-0108 NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1195.NASL description CVE-2017-8817 Fuzzing by the OSS-Fuzz project led to the discovery of a read out of bounds flaw in the FTP wildcard function in libcurl. A malicious server could redirect a libcurl-based client to an URL using a wildcard pattern, triggering the out-of-bound read. For Debian 7 last seen 2020-03-17 modified 2017-12-01 plugin id 104937 published 2017-12-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104937 title Debian DLA-1195-1 : curl security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1549.NASL description According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2016-8623) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2016-8622) - It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.(CVE-2016-5419) - A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application.(CVE-2017-1000257) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2016-8624) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2016-8621) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2016-9586) - The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an last seen 2020-06-01 modified 2020-06-02 plugin id 125002 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125002 title EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1330.NASL description According to the versions of the curl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2018-1000301) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2016-9586) - libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e 7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.i1/4^CVE-2017-1000254i1/4%0 - The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an last seen 2020-03-19 modified 2018-10-26 plugin id 118418 published 2018-10-26 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118418 title EulerOS Virtualization 2.5.0 : curl (EulerOS-SA-2018-1330) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0108_POSTGRESQL.NASL description An update of the postgresql package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121809 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121809 title Photon OS 1.0: Postgresql PHSA-2018-1.0-0108 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0108.NASL description An update of 'postgresql', 'curl' packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111919 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111919 title Photon OS 1.0: Curl / Postgresql PHSA-2018-1.0-0108 (deprecated) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1040.NASL description According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an last seen 2020-05-06 modified 2018-02-13 plugin id 106768 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106768 title EulerOS 2.0 SP2 : curl (EulerOS-SA-2018-1040) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016_POSTGRESQL.NASL description An update of the postgresql package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121919 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121919 title Photon OS 2.0: Postgresql PHSA-2018-2.0-0016 NASL family Fedora Local Security Checks NASL id FEDORA_2017-0C062324CD.NASL description - fix NTLM buffer overflow via integer overflow (CVE-2017-8816) - fix FTP wildcard out of bounds read (CVE-2017-8817) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-12-11 plugin id 105124 published 2017-12-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105124 title Fedora 26 : curl (2017-0c062324cd) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201712-04.NASL description The remote host is affected by the vulnerability described in GLSA-201712-04 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause a Denial of Service condition, disclose sensitive information or other unspecified impacts. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 105264 published 2017-12-15 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105264 title GLSA-201712-04 : cURL: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-56.NASL description This update for curl fixes the following issues : Security issues fixed : - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-01-22 plugin id 106219 published 2018-01-22 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106219 title openSUSE Security Update : curl (openSUSE-2018-56) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016.NASL description An update of {'linux', 'curl', 'binutils', 'postgresql', 'libtiff'} packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111286 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111286 title Photon OS 2.0 : Linux / Postgresql / Binutils / Curl / Libtiff (PhotonOS-PHSA-2018-2.0-0016) (deprecated) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1039.NASL description According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an last seen 2020-05-06 modified 2018-02-13 plugin id 106767 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106767 title EulerOS 2.0 SP1 : curl (EulerOS-SA-2018-1039) NASL family Fedora Local Security Checks NASL id FEDORA_2017-45BDF4DACE.NASL description - fix NTLM buffer overflow via integer overflow (CVE-2017-8816) - fix FTP wildcard out of bounds read (CVE-2017-8817) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105863 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105863 title Fedora 27 : curl (2017-45bdf4dace) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0122-1.NASL description This update for curl fixes the following issues: Security issues fixed : - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106132 published 2018-01-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106132 title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2018:0122-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016_CURL.NASL description An update of the curl package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121916 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121916 title Photon OS 2.0: Curl PHSA-2018-2.0-0016 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016_LIBTIFF.NASL description An update of the libtiff package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121917 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121917 title Photon OS 2.0: Libtiff PHSA-2018-2.0-0016 NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-938.NASL description The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. (CVE-2017-8816) The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an last seen 2020-06-01 modified 2020-06-02 plugin id 105516 published 2018-01-04 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105516 title Amazon Linux AMI : curl (ALAS-2018-938)
Redhat
advisories |
| ||||
rpms |
|
References
- https://curl.haxx.se/docs/adv_2017-ae72.html
- https://www.debian.org/security/2017/dsa-4051
- http://www.securitytracker.com/id/1039897
- http://security.cucumberlinux.com/security/details.php?id=162
- http://www.securityfocus.com/bid/102057
- https://security.gentoo.org/glsa/201712-04
- https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html
- https://access.redhat.com/errata/RHSA-2018:3558