Vulnerabilities > CVE-2018-1000005 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
haxx
debian
canonical
CWE-125
critical
nessus

Summary

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201804-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201804-04 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id108925
    published2018-04-10
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/108925
    titleGLSA-201804-04 : cURL: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201804-04.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108925);
      script_version("1.2");
      script_cvs_date("Date: 2018/06/07 13:15:38");
    
      script_cve_id("CVE-2018-1000005", "CVE-2018-1000007", "CVE-2018-1000120", "CVE-2018-1000121", "CVE-2018-1000122");
      script_xref(name:"GLSA", value:"201804-04");
    
      script_name(english:"GLSA-201804-04 : cURL: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201804-04
    (cURL: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in cURL. Please review the
          CVE identifiers referenced below for details.
      
    Impact :
    
        Remote attackers could cause a Denial of Service condition, obtain
          sensitive information, or have other unspecified impacts.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201804-04"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All cURL users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-misc/curl-7.59.0'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:curl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/curl", unaffected:make_list("ge 7.59.0"), vulnerable:make_list("lt 7.59.0"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cURL");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-951.NASL
    descriptionOut-of-bounds read in code handling HTTP/2 trailers : libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn
    last seen2020-06-01
    modified2020-06-02
    plugin id106930
    published2018-02-22
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106930
    titleAmazon Linux AMI : curl (ALAS-2018-951)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2018-951.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106930);
      script_version("3.2");
      script_cvs_date("Date: 2018/04/18 15:09:36");
    
      script_cve_id("CVE-2018-1000005", "CVE-2018-1000007");
      script_xref(name:"ALAS", value:"2018-951");
    
      script_name(english:"Amazon Linux AMI : curl (ALAS-2018-951)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Out-of-bounds read in code handling HTTP/2 trailers :
    
    libcurl contains an out bounds read in code handling HTTP/2 trailers.
    It was reported (https://github.com/curl/curl/pull/2231) that reading
    an HTTP/2 trailer could mess up future trailers since the stored size
    was one byte less than required. The problem is that the code that
    creates HTTP/1-like headers from the HTTP/2 trailer data once appended
    a string like `:` to the target buffer, while this was recently
    changed to `: ` (a space was added after the colon) but the following
    math wasn't updated correspondingly. When accessed, the data is read
    out of bounds and causes either a crash or that the (too large) data
    gets passed to client write. This could lead to a denial-of-service
    situation or an information disclosure if someone has a service that
    echoes back or uses the trailers for something. (CVE-2018-1000005)
    
    HTTP authentication leak in redirects :
    
    libcurl might accidentally leak authentication data to third parties.
    When asked to send custom headers in its HTTP requests, libcurl will
    send that set of headers first to the host in the initial URL but
    also, if asked to follow redirects and a 30X HTTP response code is
    returned, to the host mentioned in URL in the `Location:` response
    header value. Sending the same set of headers to subsequest hosts is
    in particular a problem for applications that pass on custom
    `Authorization:` headers, as this header often contains privacy
    sensitive information or data that could allow others to impersonate
    the libcurl-using client's request. (CVE-2018-1000007)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2018-951.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update curl' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libcurl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libcurl-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"curl-7.53.1-14.81.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"curl-debuginfo-7.53.1-14.81.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"libcurl-7.53.1-14.81.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"libcurl-devel-7.53.1-14.81.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-debuginfo / libcurl / libcurl-devel");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-85655B12B6.NASL
    description- http2: fix incorrect trailer buffer size (CVE-2018-1000005) - http: prevent custom Authorization headers in redirects (CVE-2018-1000007) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-31
    plugin id106517
    published2018-01-31
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106517
    titleFedora 26 : curl (2018-85655b12b6)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-85655b12b6.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106517);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-1000005", "CVE-2018-1000007");
      script_xref(name:"FEDORA", value:"2018-85655b12b6");
    
      script_name(english:"Fedora 26 : curl (2018-85655b12b6)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "- http2: fix incorrect trailer buffer size
      (CVE-2018-1000005)
    
    - http: prevent custom Authorization headers in redirects
      (CVE-2018-1000007)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-85655b12b6"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected curl package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:curl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"curl-7.53.1-14.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3554-1.NASL
    descriptionIt was discovered that curl incorrectly handled certain data. An attacker could possibly use this to cause a denial of service or even to get access to sensitive data. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. It was discovered that curl could accidentally leak authentication data. An attacker could possibly use this to get access to sensitive information. (CVE-2018-1000007). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106558
    published2018-02-01
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106558
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : curl vulnerabilities (USN-3554-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-951.NASL
    descriptionHTTP authentication leak in redirects libcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client
    last seen2020-06-01
    modified2020-06-02
    plugin id109122
    published2018-04-18
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109122
    titleAmazon Linux 2 : curl (ALAS-2018-951)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4098.NASL
    descriptionTwo vulnerabilities were discovered in cURL, an URL transfer library. - CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id106412
    published2018-01-29
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106412
    titleDebian DSA-4098-1 : curl - security update
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-024-01.NASL
    descriptionNew curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106309
    published2018-01-25
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106309
    titleSlackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2018-024-01)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-241A5A2409.NASL
    description- http2: fix incorrect trailer buffer size (CVE-2018-1000005) - http: prevent custom Authorization headers in redirects (CVE-2018-1000007) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-31
    plugin id106510
    published2018-01-31
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106510
    titleFedora 27 : curl (2018-241a5a2409)

Redhat

advisories
rhsa
idRHSA-2019:1543