Debian DSA-5330-1 : curl - security update

2023-01-2800:00:00

www.tenable.com

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5330 advisory.

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
(CVE-2022-27774)
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. (CVE-2022-32221)
No description is available for this CVE. (CVE-2022-43551) (CVE-2022-43552)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5330. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(170753);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/06");

  script_cve_id("CVE-2022-27774", "CVE-2022-32221", "CVE-2022-43552");
  script_xref(name:"IAVA", value:"2022-A-0451-S");
  script_xref(name:"IAVA", value:"2023-A-0008-S");

  script_name(english:"Debian DSA-5330-1 : curl - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5330 advisory.

  - An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are
    affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with
    authentication could leak credentials to other services that exist on different protocols or port numbers.
    (CVE-2022-27774)

  - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to
    ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle
    previously was used to issue a `PUT` request which used that callback. This flaw may surprise the
    application and cause it to misbehave and either send off the wrong data or use memory after free or
    similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is
    changed from a PUT to a POST. (CVE-2022-32221)

  - No description is available for this CVE. (CVE-2022-43551) (CVE-2022-43552)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/curl");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5330");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-27774");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-32221");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-43552");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/curl");
  script_set_attribute(attribute:"solution", value:
"Upgrade the curl packages.

For the stable distribution (bullseye), these problems have been fixed in version 7.74.0-1.3+deb11u5.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-27774");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-32221");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-gnutls");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-nss");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-nss-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'curl', 'reference': '7.74.0-1.3+deb11u5'},
    {'release': '11.0', 'prefix': 'libcurl3-gnutls', 'reference': '7.74.0-1.3+deb11u5'},
    {'release': '11.0', 'prefix': 'libcurl3-nss', 'reference': '7.74.0-1.3+deb11u5'},
    {'release': '11.0', 'prefix': 'libcurl4', 'reference': '7.74.0-1.3+deb11u5'},
    {'release': '11.0', 'prefix': 'libcurl4-doc', 'reference': '7.74.0-1.3+deb11u5'},
    {'release': '11.0', 'prefix': 'libcurl4-gnutls-dev', 'reference': '7.74.0-1.3+deb11u5'},
    {'release': '11.0', 'prefix': 'libcurl4-nss-dev', 'reference': '7.74.0-1.3+deb11u5'},
    {'release': '11.0', 'prefix': 'libcurl4-openssl-dev', 'reference': '7.74.0-1.3+deb11u5'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_NOTE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'curl / libcurl3-gnutls / libcurl3-nss / libcurl4 / libcurl4-doc / etc');
}

VendorProductVersionCPE
debiandebian_linuxcurlp-cpe:/a:debian:debian_linux:curl
debiandebian_linuxlibcurl3-gnutlsp-cpe:/a:debian:debian_linux:libcurl3-gnutls
debiandebian_linuxlibcurl3-nssp-cpe:/a:debian:debian_linux:libcurl3-nss
debiandebian_linuxlibcurl4p-cpe:/a:debian:debian_linux:libcurl4
debiandebian_linuxlibcurl4-docp-cpe:/a:debian:debian_linux:libcurl4-doc
debiandebian_linuxlibcurl4-gnutls-devp-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev
debiandebian_linuxlibcurl4-nss-devp-cpe:/a:debian:debian_linux:libcurl4-nss-dev
debiandebian_linuxlibcurl4-openssl-devp-cpe:/a:debian:debian_linux:libcurl4-openssl-dev
debiandebian_linux11.0cpe:/o:debian:debian_linux:11.0

Vendor	Product	Version	CPE
debian	debian_linux	curl	p-cpe:/a:debian:debian_linux:curl
debian	debian_linux	libcurl3-gnutls	p-cpe:/a:debian:debian_linux:libcurl3-gnutls
debian	debian_linux	libcurl3-nss	p-cpe:/a:debian:debian_linux:libcurl3-nss
debian	debian_linux	libcurl4	p-cpe:/a:debian:debian_linux:libcurl4
debian	debian_linux	libcurl4-doc	p-cpe:/a:debian:debian_linux:libcurl4-doc
debian	debian_linux	libcurl4-gnutls-dev	p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev
debian	debian_linux	libcurl4-nss-dev	p-cpe:/a:debian:debian_linux:libcurl4-nss-dev
debian	debian_linux	libcurl4-openssl-dev	p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev
debian	debian_linux	11.0	cpe:/o:debian:debian_linux:11.0