USN-3123-1: curl vulnerabilities

Medium

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 14.04 LTS

Description

It was discovered that curl incorrectly reused client certificates when built with NSS. A remote attacker could possibly use this issue to hijack the authentication of a TLS connection. (CVE-2016-7141)

Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain strings. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7167)

It was discovered that curl incorrectly handled storing cookies. A remote attacker could possibly use this issue to inject cookies for arbitrary domains in the cookie jar. (CVE-2016-8615)

It was discovered that curl incorrect handled case when comparing usernames and passwords. A remote attacker with knowledge of a case-insensitive version of the correct password could possibly use this issue to cause a connection to be reused. (CVE-2016-8616)

It was discovered that curl incorrect handled memory when encoding tobase64. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8617)

It was discovered that curl incorrect handled memory when preparing formatted output. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8618)

It was discovered that curl incorrect handled memory when performing Kerberos authentication. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8619)

Luật Nguyễn discovered that curl incorrectly handled parsing globs. A remote attacker could possibly use this issue to cause curl to crash,resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.(CVE-2016-8620)

Luật Nguyễn discovered that curl incorrectly handled converting dates. A remote attacker could possibly use this issue to cause curl to crash,resulting in a denial of service. (CVE-2016-8621)

It was discovered that curl incorrectly handled URL percent-encoding decoding. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8622)

It was discovered that curl incorrectly handled shared cookies. A remote server could possibly obtain incorrect cookies or other sensitive information. (CVE-2016-8623)

Fernando Muñoz discovered that curl incorrect parsed certain URLs. A remote attacker could possibly use this issue to trick curl into connecting to a different host. (CVE-2016-8624)

Affected Products and Versions

_Severity is medium unless otherwise noted.
_

• Cloud Foundry BOSH stemcells are vulnerable, including:
  • All versions prior to 3151.5
  • 3233.x versions prior to 3233.6
  • 3263.x versions prior to 3263.12
  • 3312.x versions prior to 3312.7
  • All other versions
• All versions of Cloud Foundry cflinuxfs2 prior to v.1.90.0

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
  • Upgrade all lower versions of 3151.x to version 3151.5
  • Upgrade all lower versions of 3233.x to version 3233.6
  • Upgrade all lower versions of 3263.x to version 3263.12
  • Upgrade all lower versions of 3312.x to version 3312.7
• The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.90.0 or later versions

Credit

Luật Nguyễn, Fernando Muñoz, Nguyen Vu Hoang

References

• <https://www.ubuntu.com/usn/USN-3123-1&gt;
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7141
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7167
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8615
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8616&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8617&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8618&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8619&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8620&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8621&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8622&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8623&gt;
• <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8624&gt;