Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-4881.NASL
HistoryApr 01, 2021 - 12:00 a.m.

Debian DSA-4881-1 : curl - security update

2021-04-0100:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11

7.5 High

AI Score

Confidence

Low

JSON

Multiple vulnerabilities were discovered in cURL, an URL transfer library :

  • CVE-2020-8169 Marek Szlagor reported that libcurl could be tricked into prepending a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

  • CVE-2020-8177 sn reported that curl could be tricked by a malicious server into overwriting a local file when using the -J (–remote-header-name) and -i (–include) options in the same command line.

  • CVE-2020-8231 Marc Aldorasi reported that libcurl might use the wrong connection when an application using libcurl’s multi API sets the option CURLOPT_CONNECT_ONLY, which could lead to information leaks.

  • CVE-2020-8284 Varnavas Papaioannou reported that a malicious server could use the PASV response to trick curl into connecting back to an arbitrary IP address and port, potentially making curl extract information about services that are otherwise private and not disclosed.

  • CVE-2020-8285 xnynx reported that libcurl could run out of stack space when using the FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION).

  • CVE-2020-8286 It was reported that libcurl didn’t verify that an OCSP response actually matches the certificate it is intended to.

  • CVE-2021-22876 Viktor Szakats reported that libcurl does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests.

  • CVE-2021-22890 Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3, libcurl could confuse session tickets arriving from the HTTPS proxy as if they arrived from the remote server instead. This could allow an HTTPS proxy to trick libcurl into using the wrong session ticket for the host and thereby circumvent the server TLS certificate check.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4881. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(148277);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");

  script_cve_id(
    "CVE-2020-8169",
    "CVE-2020-8177",
    "CVE-2020-8231",
    "CVE-2020-8284",
    "CVE-2020-8285",
    "CVE-2020-8286",
    "CVE-2021-22876",
    "CVE-2021-22890"
  );
  script_xref(name:"DSA", value:"4881");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"Debian DSA-4881-1 : curl - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"Multiple vulnerabilities were discovered in cURL, an URL transfer
library :

  - CVE-2020-8169
    Marek Szlagor reported that libcurl could be tricked
    into prepending a part of the password to the host name
    before it resolves it, potentially leaking the partial
    password over the network and to the DNS server(s).

  - CVE-2020-8177
    sn reported that curl could be tricked by a malicious
    server into overwriting a local file when using the -J
    (--remote-header-name) and -i (--include) options in the
    same command line.

  - CVE-2020-8231
    Marc Aldorasi reported that libcurl might use the wrong
    connection when an application using libcurl's multi API
    sets the option CURLOPT_CONNECT_ONLY, which could lead
    to information leaks.

  - CVE-2020-8284
    Varnavas Papaioannou reported that a malicious server
    could use the PASV response to trick curl into
    connecting back to an arbitrary IP address and port,
    potentially making curl extract information about
    services that are otherwise private and not disclosed.

  - CVE-2020-8285
    xnynx reported that libcurl could run out of stack space
    when using the FTP wildcard matching functionality
    (CURLOPT_CHUNK_BGN_FUNCTION).

  - CVE-2020-8286
    It was reported that libcurl didn't verify that an OCSP
    response actually matches the certificate it is intended
    to.

  - CVE-2021-22876
    Viktor Szakats reported that libcurl does not strip off
    user credentials from the URL when automatically
    populating the Referer HTTP request header field in
    outgoing HTTP requests.

  - CVE-2021-22890
    Mingtao Yang reported that, when using an HTTPS proxy
    and TLS 1.3, libcurl could confuse session tickets
    arriving from the HTTPS proxy as if they arrived from
    the remote server instead. This could allow an HTTPS
    proxy to trick libcurl into using the wrong session
    ticket for the host and thereby circumvent the server
    TLS certificate check.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965280");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965281");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968831");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977161");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977162");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977163");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-8169");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-8177");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-8231");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-8284");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-8285");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-8286");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-22876");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-22890");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/curl");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/curl");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2021/dsa-4881");
  script_set_attribute(attribute:"solution", value:
"Upgrade the curl packages.

For the stable distribution (buster), these problems have been fixed
in version 7.64.0-4+deb10u2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-22876");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-8177");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/03/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/04/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:curl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"10.0", prefix:"curl", reference:"7.64.0-4+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"libcurl3-gnutls", reference:"7.64.0-4+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"libcurl3-nss", reference:"7.64.0-4+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"libcurl4", reference:"7.64.0-4+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"libcurl4-doc", reference:"7.64.0-4+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"libcurl4-gnutls-dev", reference:"7.64.0-4+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"libcurl4-nss-dev", reference:"7.64.0-4+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"libcurl4-openssl-dev", reference:"7.64.0-4+deb10u2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxcurlp-cpe:/a:debian:debian_linux:curl
debiandebian_linux10.0cpe:/o:debian:debian_linux:10.0

References

Related

debian 2
osv 8
openvas 47
nessus 70
gentoo 3
redhat 3
amazon 1
almalinux 1
cloudfoundry 3
ubuntu 5
rocky 1
oraclelinux 1
mageia 3
fedora 8
ibm 10
photon 8
suse 5
freebsd 3
slackware 3
ics 1
hackerone 1
veracode 2
redhatcve 2
broadcom 1
cbl_mariner 1
debiancve 1
cloudlinux 1
prion 1
alpinelinux 1
ubuntucve 1
cve 1
debian
debian
[SECURITY] [DSA 4881-1] curl security update
2021-03-31 09:30:31
[SECURITY] [DLA 2500-1] curl security update
2020-12-19 02:59:56
osv
osv
curl - security update
2021-03-30 00:00:00
Moderate: curl security and bug fix update
2021-05-18 05:39:00
curl vulnerabilities
2020-12-09 12:10:47
openvas
openvas
Debian: Security Advisory (DSA-4881-1)
2021-04-01 00:00:00
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2021-1596)
2021-03-12 00:00:00
Mageia: Security Advisory (MGASA-2020-0482)
2022-01-28 00:00:00
nessus
nessus
EulerOS Virtualization 2.9.1 : curl (EulerOS-SA-2021-1596)
2021-03-10 00:00:00
Amazon Linux 2 : curl (ALAS-2021-1693)
2021-08-06 00:00:00
AlmaLinux 8 : curl (ALSA-2021:1610)
2022-02-09 00:00:00
gentoo
gentoo
cURL: Multiple vulnerabilities
2020-12-23 00:00:00
cURL: Multiple vulnerabilities
2020-07-26 00:00:00
cURL: Multiple vulnerabilities
2021-05-26 00:00:00
redhat
redhat
(RHSA-2021:1610) Moderate: curl security and bug fix update
2021-05-18 05:39:00
(RHSA-2021:2472) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update
2021-06-17 11:33:18
(RHSA-2021:2471) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update
2021-06-17 11:31:22
amazon
amazon
Medium: curl
2021-08-04 20:32:00
almalinux
almalinux
Moderate: curl security and bug fix update
2021-05-18 05:39:00
cloudfoundry
cloudfoundry
USN-4665-1: curl vulnerabilities | Cloud Foundry
2021-01-12 00:00:00
USN-4898-1: curl vulnerabilities | Cloud Foundry
2021-04-29 00:00:00
USN-4402-1: curl vulnerabilities | Cloud Foundry
2020-07-22 00:00:00
ubuntu
ubuntu
curl vulnerabilities
2020-12-09 00:00:00
curl vulnerabilities
2021-03-31 00:00:00
curl vulnerabilities
2020-06-24 00:00:00
rocky
rocky
curl security and bug fix update
2021-05-18 05:39:00
oraclelinux
oraclelinux
curl security and bug fix update
2021-05-25 00:00:00
mageia
mageia
Updated curl packages fix security vulnerabilities
2020-12-31 17:32:44
Updated curl packages fix security vulnerability
2020-07-05 22:48:23
Updated curl packages fix security vulnerabilities
2021-04-12 22:59:59
fedora
fedora
[SECURITY] Fedora 33 Update: curl-7.71.1-8.fc33
2020-12-15 01:22:19
[SECURITY] Fedora 32 Update: curl-7.69.1-7.fc32
2020-12-21 01:36:25
[SECURITY] Fedora 34 Update: curl-7.76.0-1.fc34
2021-04-06 00:16:51
ibm
ibm
Security Bulletin: cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285)
2021-06-04 16:40:33
Security Bulletin: cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285)
2021-06-04 01:09:08
Security Bulletin: Security Vulnerabilities affect IBM Cloud Private - curl (Multiple CVEs)
2022-04-22 12:50:25
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0346
2020-12-10 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-2.0-0304
2020-12-10 00:00:00
Important Photon OS Security Update - PHSA-2020-0346
2020-12-10 00:00:00
suse
suse
Security update for curl (moderate)
2020-12-13 00:00:00
Security update for curl (moderate)
2020-12-14 00:00:00
Security update for curl (moderate)
2021-04-05 00:00:00
freebsd
freebsd
cURL -- Multiple vulnerabilities
2020-12-09 00:00:00
curl -- multiple vulnerabilities
2020-06-24 00:00:00
curl -- TLS 1.3 session ticket proxy host mixup
2021-03-31 00:00:00
slackware
slackware
[slackware-security] curl
2020-12-09 21:22:01
[slackware-security] curl
2021-04-01 01:05:48
[slackware-security] curl
2020-06-24 20:40:25
ics
ics
Siemens SIMATIC TIM libcurl
2021-06-29 12:00:00
hackerone
hackerone
curl: CVE-2021-22890: TLS 1.3 session ticket proxy host mixup
2021-03-17 18:30:33
veracode
veracode
Man-in-the-Middle (MITM) Attack
2021-04-01 00:29:32
Information Disclosure
2021-04-01 00:29:21
redhatcve
redhatcve
CVE-2021-22890
2021-03-31 10:08:44
CVE-2021-22876
2021-03-31 10:08:39
broadcom
broadcom
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection
2023-06-12 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-22890 affecting package curl 7.74.0-1
2021-08-11 06:39:26
debiancve
debiancve
CVE-2021-22890
2021-04-01 18:15:00
cloudlinux
cloudlinux
Fix of CVE-2021-22876
2021-04-01 14:02:42
prion
prion
Design/Logic Flaw
2021-04-01 18:15:00
alpinelinux
alpinelinux
CVE-2021-22890
2021-04-01 18:15:00
ubuntucve
ubuntucve
CVE-2021-22890
2021-03-31 00:00:00
cve
cve
CVE-2021-22890
2021-04-01 18:15:00

7.5 High

AI Score

Confidence

Low

JSON
Related for DEBIAN_DSA-4881.NASL
debian2osv8openvas47nessus70gentoo3redhat3amazon1almalinux1cloudfoundry3ubuntu5rocky1oraclelinux1mageia3fedora8ibm10photon8suse5freebsd3slackware3ics1hackerone1veracode2redhatcve2broadcom1cbl_mariner1debiancve1cloudlinux1prion1alpinelinux1ubuntucve1cve1