According to the versions of the curl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120)
A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121)
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122)
curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2018-1000301)
curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2016-9586)
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD
command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses.
Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e 7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.i1/4^CVE-2017-1000254i1/4%0
The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an ‘[’ character.The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an ‘[’ character.i1/4^CVE-2017-8817i1/4%0
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(118418);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/03");
script_cve_id(
"CVE-2016-9586",
"CVE-2017-8817",
"CVE-2017-1000254",
"CVE-2018-1000120",
"CVE-2018-1000121",
"CVE-2018-1000122",
"CVE-2018-1000301"
);
script_name(english:"EulerOS Virtualization 2.5.0 : curl (EulerOS-SA-2018-1330)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the curl package installed, the EulerOS
Virtualization installation on the remote host is affected by the
following vulnerabilities :
- It was found that libcurl did not safely parse FTP URLs
when using the CURLOPT_FTP_FILEMETHOD method. An
attacker, able to provide a specially crafted FTP URL
to an application using libcurl, could write a NULL
byte at an arbitrary location, resulting in a crash, or
an unspecified behavior.(CVE-2018-1000120)
- A NULL pointer dereference flaw was found in the way
libcurl checks values returned by the openldap
ldap_get_attribute_ber() function. A malicious LDAP
server could use this flaw to crash a libcurl client
application via a specially crafted LDAP
reply.(CVE-2018-1000121)
- A buffer over-read exists in curl 7.20.0 to and
including curl 7.58.0 in the RTSP+RTP handling code
that allows an attacker to cause a denial of service or
information leakage(CVE-2018-1000122)
- curl version curl 7.20.0 to and including curl 7.59.0
contains a Buffer Over-read vulnerability in denial of
service that can result in curl can be tricked into
reading data beyond the end of a heap based buffer used
to store downloaded rtsp content.(CVE-2018-1000301)
- curl version curl 7.20.0 to and including curl 7.59.0
contains a Buffer Over-read vulnerability in denial of
service that can result in curl can be tricked into
reading data beyond the end of a heap based buffer used
to store downloaded rtsp content.(CVE-2016-9586)
- libcurl may read outside of a heap allocated buffer
when doing FTP. When libcurl connects to an FTP server
and successfully logs in (anonymous or not), it asks
the server for the current directory with the `PWD`
command. The server then responds with a 257 response
containing the path, inside double quotes. The returned
path name is then kept by libcurl for subsequent uses.
Due to a flaw in the string parser for this directory
name, a directory name passed like this but without a
closing double quote would lead to libcurl not adding a
trailing NUL byte to the buffer holding the name. When
libcurl would then later access the string, it could
read beyond the allocated heap buffer and crash or
wrongly access data beyond the buffer, thinking it was
part of the path. A malicious server could abuse this
fact and effectively prevent libcurl-based clients to
work with it - the PWD command is always issued on new
FTP connections and the mistake has a high chance of
causing a segfault. The simple fact that this has issue
remained undiscovered for this long could suggest that
malformed PWD responses are rare in benign servers. We
are not aware of any exploit of this flaw. This bug was
introduced in commit
[415d2e7cb7](https://github.com/curl/curl/commit/415d2e
7cb7), March 2005. In libcurl version 7.56.0, the
parser always zero terminates the string but also
rejects it if not terminated properly with a final
double quote.i1/4^CVE-2017-1000254i1/4%0
- The FTP wildcard function in curl and libcurl before
7.57.0 allows remote attackers to cause a denial of
service (out-of-bounds read and application crash) or
possibly have unspecified other impact via a string
that ends with an '[' character.The FTP wildcard
function in curl and libcurl before 7.57.0 allows
remote attackers to cause a denial of service
(out-of-bounds read and application crash) or possibly
have unspecified other impact via a string that ends
with an '[' character.i1/4^CVE-2017-8817i1/4%0
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1330
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4aa41f3c");
script_set_attribute(attribute:"solution", value:
"Update the affected curl packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1000120");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"patch_publication_date", value:"2018/09/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/26");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:curl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.5.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.5.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.5.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["curl-7.29.0-35.h7"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9586
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000121
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000122
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000301
www.nessus.org/u?4aa41f3c