Curl Use-After-Free < 7.87 (CVE-2022-43552)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(171859);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/01");

  script_cve_id("CVE-2022-43552");
  script_xref(name:"IAVA", value:"2023-A-0008-S");

  script_name(english:"Curl Use-After-Free < 7.87 (CVE-2022-43552)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has a program that is affected by a use-after-free vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Curl installed on the remote host is prior to 7.87.0. It is therefore affected by a use-after-free
vulnerability. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP
proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols
SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code
path.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://curl.se/docs/CVE-2022-43552.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade Curl to version 7.87.0 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-43552");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/12/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:haxx:curl");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("curl_win_installed.nbin");
  script_require_keys("installed_sw/Curl", "SMB/Registry/Enumerated");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Curl', win_local:TRUE);

var constraints = [{'min_version': '7.16.0', 'max_version': '7.86.0', 'fixed_version' : '7.87.0' }];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);