According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
(CVE-2022-27774)
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. (CVE-2022-27776)
curl < 7.84.0 supports ‘chained’ HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable ‘links’ in this ‘decompression chain’ was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a ‘malloc bomb’, makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. (CVE-2022-32206)
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly.
This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. (CVE-2022-32208)
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION
) to ask for data to send, even when the CURLOPT_POSTFIELDS
option has been set, if the same handle previously was used to issue a PUT
request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST
request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. (CVE-2022-32221)
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses.
Effectively allowing a’sister site’ to deny service to all siblings. (CVE-2022-35252)
A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the ‘chained’ HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable ‘links’ in this ‘decompression chain’ wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a ‘malloc bomb’, making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(177190);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/19");
script_cve_id(
"CVE-2022-27774",
"CVE-2022-27776",
"CVE-2022-32206",
"CVE-2022-32208",
"CVE-2022-32221",
"CVE-2022-35252",
"CVE-2022-43552",
"CVE-2023-23916"
);
script_xref(name:"IAVA", value:"2022-A-0451-S");
script_xref(name:"IAVA", value:"2023-A-0008-S");
script_xref(name:"IAVA", value:"2022-A-0255-S");
script_xref(name:"IAVA", value:"2022-A-0350-S");
script_xref(name:"CEA-ID", value:"CEA-2022-0026");
script_name(english:"EulerOS Virtualization 3.0.6.0 : curl (EulerOS-SA-2023-2235)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is
affected by the following vulnerabilities :
- An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are
affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with
authentication could leak credentials to other services that exist on different protocols or port numbers.
(CVE-2022-27774)
- A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or
cookie header data on HTTP redirects to the same host but another port number. (CVE-2022-27776)
- curl < 7.84.0 supports 'chained' HTTP compression algorithms, meaning that a serverresponse can be
compressed multiple times and potentially with different algorithms. The number of acceptable 'links' in
this 'decompression chain' was unbounded, allowing a malicious server to insert a virtually unlimited
number of compression steps.The use of such a decompression chain could result in a 'malloc bomb',
makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of
memory errors. (CVE-2022-32206)
- When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly.
This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject
data to the client. (CVE-2022-32208)
- When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to
ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle
previously was used to issue a `PUT` request which used that callback. This flaw may surprise the
application and cause it to misbehave and either send off the wrong data or use memory after free or
similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is
changed from a PUT to a POST. (CVE-2022-32221)
- When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control
codes that when later are sent back to a HTTPserver might make the server return 400 responses.
Effectively allowing a'sister site' to deny service to all siblings. (CVE-2022-35252)
- A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all
protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct
after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)
- An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the
'chained' HTTP compression algorithms, meaning that a server response can be compressed multiple times and
potentially with differentalgorithms. The number of acceptable 'links' in this 'decompression chain'
wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a
virtually unlimited number of compression steps simply byusing many headers. The use of such a
decompression chain could result in a 'malloc bomb', making curl end up spending enormous amounts of
allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-2235
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?926ff7d2");
script_set_attribute(attribute:"solution", value:
"Update the affected curl packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-32208");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-32221");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/28");
script_set_attribute(attribute:"patch_publication_date", value:"2023/06/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/06/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:curl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libcurl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libcurl-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.6.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
var flag = 0;
var pkgs = [
"curl-7.61.1-2.h28.eulerosv2r8",
"libcurl-7.61.1-2.h28.eulerosv2r8",
"libcurl-devel-7.61.1-2.h28.eulerosv2r8"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32221
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43552
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916
www.nessus.org/u?926ff7d2