MiracleLinux 7 : curl-7.29.0-25.0.1.el7.AXS7 (AXSA:2015-843:01)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2015-843:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(289422);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/16");

  script_cve_id(
    "CVE-2014-3613",
    "CVE-2014-3707",
    "CVE-2014-8150",
    "CVE-2015-3143",
    "CVE-2015-3148"
  );
  script_xref(name:"IAVB", value:"2016-B-0054-S");

  script_name(english:"MiracleLinux 7 : curl-7.29.0-25.0.1.el7.AXS7 (AXSA:2015-843:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2015-843:01 advisory.

    curl is a command line tool for transferring data with URL syntax, supporting
    FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
    SMTP, POP3 and RTSP.  curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
    uploading, HTTP form based upload, proxies, cookies, user password
    authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
    resume, proxy tunneling and a busload of other useful tricks.
    Security issues fixed with this release:
    CVE-2014-3613
    cURL and libcurl before 7.38.0 does not properly handle IP addresses
    in cookie domain names, which allows remote attackers to set cookies
    for or send arbitrary cookies to certain sites, as demonstrated by a
    site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
    CVE-2014-3707
    The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0,
    when running with the CURLOPT_COPYPOSTFIELDS option, does not properly
    copy HTTP POST data for an easy handle, which triggers an
    out-of-bounds read that allows remote web servers to read sensitive
    memory information.
    CVE-2014-8150
    CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0,
    when using an HTTP proxy, allows remote attackers to inject arbitrary
    HTTP headers and conduct HTTP response splitting attacks via CRLF
    sequences in a URL.
    CVE-2015-3143
    cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM
    connections, which allows remote attackers to connect as other users
    via an unauthenticated request, a similar issue to CVE-2014-0015.
    CVE-2015-3148
    cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use
    authenticated Negotiate connections, which allows remote attackers to
    connect as other users via a request.
    Fixed bugs:
    * An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to
    force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this
    functionality can explicitly enable SSL 3.0 through the libcurl API.
    * TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them
    through the libcurl API.
    * FTP operations such as downloading files took a significantly long time to complete. Now, the FTP
    implementation in libcurl correctly sets blocking direction and estimated timeout for connections,
    resulting in faster FTP transfers.
    Enhancements:
    * With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption
    Standard (AES) cipher suites to be used for the TLS protocol.
    * The libcurl library did not implement a non-blocking SSL handshake, which negatively affected
    performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been
    implemented in libcurl, and the libcurl multi API now immediately returns the control back to the
    application whenever it cannot read or write data from or to the underlying network socket.
    * The libcurl library used an unnecessarily long blocking delay for actions with no active file
    descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took
    a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short
    and gradually increases until an event occurs.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/6231");
  script_set_attribute(attribute:"solution", value:
"Update the affected curl, libcurl and / or libcurl-devel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-3148");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"Moderate");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libcurl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libcurl-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'curl-7.29.0-25.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libcurl-7.29.0-25.0.1.el7.AXS7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libcurl-7.29.0-25.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libcurl-devel-7.29.0-25.0.1.el7.AXS7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libcurl-devel-7.29.0-25.0.1.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'curl / libcurl / libcurl-devel');
}