Debian DSA-5523-1 : curl - security update

2023-10-1100:00:00

www.tenable.com

debian

curl

security

vulnerabilities

heap-based buffer overflow

socks5 proxy handshake

cookie injection vulnerability

libcurl.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.7%

JSON

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5523 advisory.

CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl. When curl is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in length, it will switch to local name resolution in order to resolve the address before passing it on to the SOCKS5 proxy. However, due to a bug introduced in 2020, this local name resolution could fail due to a slow SOCKS5 handshake, causing curl to pass on the hostname greater than 255 bytes in length into the target buffer, leading to a heap overflow. The advisory for CVE-2023-38545 gives an example exploitation scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an attacker would need to influence the slowness of the SOCKS5 handshake, the advisory states that server latency is likely slow enough to trigger this bug. (CVE-2023-38545)
CVE-2023-38546 is a cookie injection vulnerability in the curl_easy_duphandle(), a function in libcurl that duplicates easy handles. When duplicating an easy handle, if cookies are enabled, the duplicated easy handle will not duplicate the cookies themselves, but would instead set the filename to none.’ Therefore, when the duplicated easy handle is subsequently used, if a source was not set for the cookies, libcurl would attempt to load them from the file named none’ on the disk. This vulnerability is rated low, as the various conditions required for exploitation are unlikely. (CVE-2023-38546)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5523. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(182908);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/08");

  script_cve_id("CVE-2023-38545", "CVE-2023-38546");
  script_xref(name:"CEA-ID", value:"CEA-2023-0052");
  script_xref(name:"IAVA", value:"2023-A-0531-S");

  script_name(english:"Debian DSA-5523-1 : curl - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5523 advisory.

  - CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and
    curl.  When curl is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in
    length, it will switch to local name resolution in order to resolve the address before passing it on to
    the SOCKS5 proxy. However, due to a bug introduced in 2020, this local name resolution could fail due to a
    slow SOCKS5 handshake, causing curl to pass on the hostname greater than 255 bytes in length into the
    target buffer, leading to a heap overflow.  The advisory for CVE-2023-38545 gives an example exploitation
    scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an
    attacker would need to influence the slowness of the SOCKS5 handshake, the advisory states that server
    latency is likely slow enough to trigger this bug. (CVE-2023-38545)

  - CVE-2023-38546 is a cookie injection vulnerability in the curl_easy_duphandle(), a function in libcurl
    that duplicates easy handles.  When duplicating an easy handle, if cookies are enabled, the duplicated
    easy handle will not duplicate the cookies themselves, but would instead set the filename to none.'
    Therefore, when the duplicated easy handle is subsequently used, if a source was not set for the cookies,
    libcurl would attempt to load them from the file named none' on the disk.  This vulnerability is rated
    low, as the various conditions required for exploitation are unlikely.  (CVE-2023-38546)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/curl");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5523");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-38545");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-38546");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/curl");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/curl");
  script_set_attribute(attribute:"solution", value:
"Upgrade the curl packages.

For the stable distribution (bookworm), these problems have been fixed in version 7.88.1-10+deb12u4.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-38545");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-gnutls");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-nss");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-nss-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+|^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0 / 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'curl', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '11.0', 'prefix': 'libcurl3-gnutls', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '11.0', 'prefix': 'libcurl3-nss', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '11.0', 'prefix': 'libcurl4', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '11.0', 'prefix': 'libcurl4-doc', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '11.0', 'prefix': 'libcurl4-gnutls-dev', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '11.0', 'prefix': 'libcurl4-nss-dev', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '11.0', 'prefix': 'libcurl4-openssl-dev', 'reference': '7.74.0-1.3+deb11u10'},
    {'release': '12.0', 'prefix': 'curl', 'reference': '7.88.1-10+deb12u4'},
    {'release': '12.0', 'prefix': 'libcurl3-gnutls', 'reference': '7.88.1-10+deb12u4'},
    {'release': '12.0', 'prefix': 'libcurl3-nss', 'reference': '7.88.1-10+deb12u4'},
    {'release': '12.0', 'prefix': 'libcurl4', 'reference': '7.88.1-10+deb12u4'},
    {'release': '12.0', 'prefix': 'libcurl4-doc', 'reference': '7.88.1-10+deb12u4'},
    {'release': '12.0', 'prefix': 'libcurl4-gnutls-dev', 'reference': '7.88.1-10+deb12u4'},
    {'release': '12.0', 'prefix': 'libcurl4-nss-dev', 'reference': '7.88.1-10+deb12u4'},
    {'release': '12.0', 'prefix': 'libcurl4-openssl-dev', 'reference': '7.88.1-10+deb12u4'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'curl / libcurl3-gnutls / libcurl3-nss / libcurl4 / libcurl4-doc / etc');
}

VendorProductVersionCPE
debiandebian_linux11.0cpe:/o:debian:debian_linux:11.0
debiandebian_linuxlibcurl4p-cpe:/a:debian:debian_linux:libcurl4
debiandebian_linuxcurlp-cpe:/a:debian:debian_linux:curl
debiandebian_linux12.0cpe:/o:debian:debian_linux:12.0
debiandebian_linuxlibcurl3-nssp-cpe:/a:debian:debian_linux:libcurl3-nss
debiandebian_linuxlibcurl4-gnutls-devp-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev
debiandebian_linuxlibcurl4-docp-cpe:/a:debian:debian_linux:libcurl4-doc
debiandebian_linuxlibcurl3-gnutlsp-cpe:/a:debian:debian_linux:libcurl3-gnutls
debiandebian_linuxlibcurl4-nss-devp-cpe:/a:debian:debian_linux:libcurl4-nss-dev
debiandebian_linuxlibcurl4-openssl-devp-cpe:/a:debian:debian_linux:libcurl4-openssl-dev

Vendor	Product	Version	CPE
debian	debian_linux	11.0	cpe:/o:debian:debian_linux:11.0
debian	debian_linux	libcurl4	p-cpe:/a:debian:debian_linux:libcurl4
debian	debian_linux	curl	p-cpe:/a:debian:debian_linux:curl
debian	debian_linux	12.0	cpe:/o:debian:debian_linux:12.0
debian	debian_linux	libcurl3-nss	p-cpe:/a:debian:debian_linux:libcurl3-nss
debian	debian_linux	libcurl4-gnutls-dev	p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev
debian	debian_linux	libcurl4-doc	p-cpe:/a:debian:debian_linux:libcurl4-doc
debian	debian_linux	libcurl3-gnutls	p-cpe:/a:debian:debian_linux:libcurl3-gnutls
debian	debian_linux	libcurl4-nss-dev	p-cpe:/a:debian:debian_linux:libcurl4-nss-dev
debian	debian_linux	libcurl4-openssl-dev	p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev