Lucene search

HistoryMar 20, 2023 - 12:00 a.m.

CBL Mariner 2.0 Security Update: cmake / curl (CVE-2022-43551)

2023-03-2000:00:00

www.tenable.com

The version of cmake / curl installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-43551 advisory.

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. (CVE-2022-43551)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(172765);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/30");

  script_cve_id("CVE-2022-43551");
  script_xref(name:"IAVA", value:"2023-A-0008-S");

  script_name(english:"CBL Mariner 2.0 Security Update: cmake / curl (CVE-2022-43551)");

  script_set_attribute(attribute:"synopsis", value:
"The remote CBL Mariner host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of cmake / curl installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore,
affected by a vulnerability as referenced in the CVE-2022-43551 advisory.

  - A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP.
    Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP
    step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name
    in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN
    conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full
    stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text
    transfer. Because it would store the info IDN encoded but look for it IDN decoded. (CVE-2022-43551)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-43551");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-43551");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cmake");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:cmake-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:curl-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:curl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:curl-libs");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:cbl-mariner");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MarinerOS Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CBLMariner/release", "Host/CBLMariner/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/CBLMariner/release');
if (isnull(release) || 'CBL-Mariner' >!< release) audit(AUDIT_OS_NOT, 'CBL-Mariner');
var os_ver = pregmatch(pattern: "CBL-Mariner ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CBL-Mariner');
os_ver = os_ver[1];
if (! preg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'CBL-Mariner 2.0', 'CBL-Mariner ' + os_ver);

if (!get_kb_item('Host/CBLMariner/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
  audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CBL-Mariner', cpu);

var pkgs = [
    {'reference':'cmake-3.21.4-3.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cmake-3.21.4-3.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cmake-debuginfo-3.21.4-3.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cmake-debuginfo-3.21.4-3.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-7.86.0-2.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-7.86.0-2.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-debuginfo-7.86.0-2.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-debuginfo-7.86.0-2.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-devel-7.86.0-2.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-devel-7.86.0-2.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-libs-7.86.0-2.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'curl-libs-7.86.0-2.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'CBLMariner-' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cmake / cmake-debuginfo / curl / curl-debuginfo / curl-devel / etc');
}

VendorProductVersionCPE
microsoftcbl-marinercmakep-cpe:/a:microsoft:cbl-mariner:cmake
microsoftcbl-marinercmake-debuginfop-cpe:/a:microsoft:cbl-mariner:cmake-debuginfo
microsoftcbl-marinercurlp-cpe:/a:microsoft:cbl-mariner:curl
microsoftcbl-marinercurl-debuginfop-cpe:/a:microsoft:cbl-mariner:curl-debuginfo
microsoftcbl-marinercurl-develp-cpe:/a:microsoft:cbl-mariner:curl-devel
microsoftcbl-marinercurl-libsp-cpe:/a:microsoft:cbl-mariner:curl-libs
microsoftcbl-marinerx-cpe:/o:microsoft:cbl-mariner

Vendor	Product	Version	CPE
microsoft	cbl-mariner	cmake	p-cpe:/a:microsoft:cbl-mariner:cmake
microsoft	cbl-mariner	cmake-debuginfo	p-cpe:/a:microsoft:cbl-mariner:cmake-debuginfo
microsoft	cbl-mariner	curl	p-cpe:/a:microsoft:cbl-mariner:curl
microsoft	cbl-mariner	curl-debuginfo	p-cpe:/a:microsoft:cbl-mariner:curl-debuginfo
microsoft	cbl-mariner	curl-devel	p-cpe:/a:microsoft:cbl-mariner:curl-devel
microsoft	cbl-mariner	curl-libs	p-cpe:/a:microsoft:cbl-mariner:curl-libs
microsoft	cbl-mariner		x-cpe:/o:microsoft:cbl-mariner

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43551

nvd.nist.gov/vuln/detail/CVE-2022-43551

JSON

Related for MARINER_CMAKE_CURL_CVE-2022-43551.NASL