9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
70.7%
The version of curl installed on the remote host is prior to 8.4.0. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2023-284-01 advisory.
CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl. When curl is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in length, it will switch to local name resolution in order to resolve the address before passing it on to the SOCKS5 proxy. However, due to a bug introduced in 2020, this local name resolution could fail due to a slow SOCKS5 handshake, causing curl to pass on the hostname greater than 255 bytes in length into the target buffer, leading to a heap overflow. The advisory for CVE-2023-38545 gives an example exploitation scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an attacker would need to influence the slowness of the SOCKS5 handshake, the advisory states that server latency is likely slow enough to trigger this bug. (CVE-2023-38545)
Please review the referenced CVE identifiers for details. Note that the risk of remote code execution is limited to SOCKS usage. (CVE-2023-38546)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
#
# The descriptive text and package checks in this plugin were
# extracted from Slackware Security Advisory SSA:2023-284-01. The text
# itself is copyright (C) Slackware Linux, Inc.
##
include('compat.inc');
if (description)
{
script_id(182876);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/08");
script_cve_id("CVE-2023-38545", "CVE-2023-38546");
script_xref(name:"CEA-ID", value:"CEA-2023-0052");
script_xref(name:"IAVA", value:"2023-A-0531-S");
script_name(english:"Slackware Linux 14.0 / 14.1 / 14.2 / 15.0 / current curl Multiple Vulnerabilities (SSA:2023-284-01)");
script_set_attribute(attribute:"synopsis", value:
"The remote Slackware Linux host is missing a security update to curl.");
script_set_attribute(attribute:"description", value:
"The version of curl installed on the remote host is prior to 8.4.0. It is, therefore, affected by multiple
vulnerabilities as referenced in the SSA:2023-284-01 advisory.
- CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and
curl. When curl is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in
length, it will switch to local name resolution in order to resolve the address before passing it on to
the SOCKS5 proxy. However, due to a bug introduced in 2020, this local name resolution could fail due to a
slow SOCKS5 handshake, causing curl to pass on the hostname greater than 255 bytes in length into the
target buffer, leading to a heap overflow. The advisory for CVE-2023-38545 gives an example exploitation
scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an
attacker would need to influence the slowness of the SOCKS5 handshake, the advisory states that server
latency is likely slow enough to trigger this bug. (CVE-2023-38545)
- Please review the referenced CVE identifiers for details. Note that the risk of remote code execution
is limited to SOCKS usage. (CVE-2023-38546)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# http://www.slackware.com/security/viewer.php?l=slackware-security&y=2023&m=slackware-security.461570
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fb45b2b3");
script_set_attribute(attribute:"solution", value:
"Upgrade the affected curl package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-38545");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/11");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:curl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:15.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Slackware Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
exit(0);
}
include("slackware.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
var flag = 0;
var constraints = [
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '14.0', 'service_pack' : '1_slack14.0', 'arch' : 'i486' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '14.0', 'service_pack' : '1_slack14.0', 'arch' : 'x86_64' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '14.1', 'service_pack' : '1_slack14.1', 'arch' : 'i486' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '14.1', 'service_pack' : '1_slack14.1', 'arch' : 'x86_64' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '14.2', 'service_pack' : '1_slack14.2', 'arch' : 'i586' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '14.2', 'service_pack' : '1_slack14.2', 'arch' : 'x86_64' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '1_slack15.0', 'arch' : 'i586' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '1_slack15.0', 'arch' : 'x86_64' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'i586' },
{ 'fixed_version' : '8.4.0', 'product' : 'curl', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'x86_64' }
];
foreach var constraint (constraints) {
var pkg_arch = constraint['arch'];
var arch = NULL;
if (pkg_arch == "x86_64") {
arch = pkg_arch;
}
if (slackware_check(osver:constraint['os_version'],
arch:arch,
pkgname:constraint['product'],
pkgver:constraint['fixed_version'],
pkgarch:pkg_arch,
pkgnum:constraint['service_pack'])) flag++;
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : slackware_report_get()
);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
slackware | slackware_linux | 15.0 | cpe:/o:slackware:slackware_linux:15.0 |
slackware | slackware_linux | 14.0 | cpe:/o:slackware:slackware_linux:14.0 |
slackware | slackware_linux | curl | p-cpe:/a:slackware:slackware_linux:curl |
slackware | slackware_linux | 14.1 | cpe:/o:slackware:slackware_linux:14.1 |
slackware | slackware_linux | cpe:/o:slackware:slackware_linux | |
slackware | slackware_linux | 14.2 | cpe:/o:slackware:slackware_linux:14.2 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
70.7%