Curl 8.5.0 < 8.7.0 TLS Certificate Check Bypass (CVE-2024-2466)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(192706);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/19");

  script_cve_id("CVE-2024-2466");
  script_xref(name:"IAVA", value:"2024-A-0185");

  script_name(english:"Curl 8.5.0 < 8.7.0 TLS Certificate Check Bypass (CVE-2024-2466)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a program that is affected by a certificate check bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Curl installed on the remote host is between 8.5.0 and prior to 8.7.0. It is, therefore, affected by a
certificate check bypass vulnerability. libcurl did not check the server certificate of TLS connections done to a host 
specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when 
the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects 
all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://curl.se/docs/CVE-2024-2466.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade Curl to version 8.7.0 or later");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-2466");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:haxx:curl");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("curl_win_installed.nbin", "curl_nix_installed.nbin");
  script_require_keys("installed_sw/Curl");

  exit(0);
}

include('vcf.inc');

var win_local;
if (!empty_or_null(get_kb_item('SMB/Registry/Enumerated')))
  win_local = TRUE;
else
  win_local = FALSE;

var app_info = vcf::get_app_info(app:'Curl', win_local:win_local);

vcf::check_all_backporting(app_info:app_info);

var constraints = [ 
  {'min_version': '8.5.0', 'fixed_version': '8.7.0'} 
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);