Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.SUSE_SU-2023-2225-1.NASL
HistoryMay 18, 2023 - 12:00 a.m.

SUSE SLES12 Security Update : curl (SUSE-SU-2023:2225-1)

2023-05-1800:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
JSON

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2225-1 advisory.

  • An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
    (CVE-2022-27774)

  • A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server’s public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed. (CVE-2023-28319)

  • A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm() and siglongjmp(). When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave. (CVE-2023-28320)

  • An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as Subject Alternative Name in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x. (CVE-2023-28321)

  • An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. (CVE-2023-28322)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2023:2225-1. The text itself
# is copyright (C) SUSE.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(176041);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/20");

  script_cve_id(
    "CVE-2022-27774",
    "CVE-2023-28319",
    "CVE-2023-28320",
    "CVE-2023-28321",
    "CVE-2023-28322"
  );
  script_xref(name:"SuSE", value:"SUSE-SU-2023:2225-1");
  script_xref(name:"IAVA", value:"2023-A-0259-S");

  script_name(english:"SUSE SLES12 Security Update : curl (SUSE-SU-2023:2225-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as
referenced in the SUSE-SU-2023:2225-1 advisory.

  - An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are
    affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with
    authentication could leak credentials to other services that exist on different protocols or port numbers.
    (CVE-2022-27774)

  - A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH
    server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the
    fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting
    sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and
    revealed. (CVE-2023-28319)

  - A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different
    backends for resolving host names, selected at build time. If it is built to use the synchronous resolver,
    it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this,
    libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore
    crash or otherwise misbehave. (CVE-2023-28320)

  - An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of
    wildcard patterns when listed as Subject Alternative Name in TLS server certificates. curl can be built
    to use its own name matching function for TLS rather than one provided by a TLS library. This private
    wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a
    result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before
    used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to
    pattern match, but the wildcard check in curl could still check for `x*`, which would match even though
    the IDN name most likely contained nothing even resembling an `x`. (CVE-2023-28321)

  - An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might
    erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the
    `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request
    which used that callback. This flaw may surprise the application and cause it to misbehave and either send
    off the wrong data or use memory after free or similar in the second transfer. The problem exists in the
    logic for a reused handle when it is (expected to be) changed from a PUT to a POST. (CVE-2023-28322)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1198608");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1211230");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1211231");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1211232");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1211233");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-27774");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-28319");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-28320");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-28321");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2023-28322");
  # https://lists.suse.com/pipermail/sle-security-updates/2023-May/014912.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f74e4782");
  script_set_attribute(attribute:"solution", value:
"Update the affected curl, libcurl-devel, libcurl4 and / or libcurl4-32bit packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-27774");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-28319");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/05/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/05/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libcurl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libcurl4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libcurl4-32bit");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12|SLES_SAP12)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12 / SLES_SAP12', 'SUSE (' + os_ver + ')');

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);

var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP12" && (! preg(pattern:"^(5)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP12 SP5", os_ver + " SP" + service_pack);

var pkgs = [
    {'reference':'curl-8.0.1-11.65.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
    {'reference':'libcurl-devel-8.0.1-11.65.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
    {'reference':'libcurl4-32bit-8.0.1-11.65.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
    {'reference':'libcurl4-8.0.1-11.65.2', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},
    {'reference':'libcurl-devel-8.0.1-11.65.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},
    {'reference':'curl-8.0.1-11.65.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
    {'reference':'libcurl4-32bit-8.0.1-11.65.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},
    {'reference':'libcurl4-8.0.1-11.65.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']}
];

var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var exists_check = NULL;
  var rpm_spec_vers_cmp = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (reference && _release) {
    if (exists_check) {
      var check_flag = 0;
      foreach var check (exists_check) {
        if (!rpm_exists(release:_release, rpm:check)) continue;
        check_flag++;
      }
      if (!check_flag) continue;
    }
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'curl / libcurl-devel / libcurl4 / libcurl4-32bit');
}
VendorProductVersionCPE
novellsuse_linuxcurlp-cpe:/a:novell:suse_linux:curl
novellsuse_linuxlibcurl-develp-cpe:/a:novell:suse_linux:libcurl-devel
novellsuse_linuxlibcurl4p-cpe:/a:novell:suse_linux:libcurl4
novellsuse_linuxlibcurl4-32bitp-cpe:/a:novell:suse_linux:libcurl4-32bit
novellsuse_linux12cpe:/o:novell:suse_linux:12

Related

openvas 30
nessus 44
slackware 1
redos 1
ibm 13
freebsd 1
amazon 1
redhat 8
osv 13
photon 3
fedora 2
oraclelinux 2
almalinux 2
cloudfoundry 2
ubuntu 3
mageia 1
cbl_mariner 19
veracode 6
prion 5
debiancve 5
alpinelinux 5
redhatcve 5
ubuntucve 5
hackerone 12
cve 5
debian 3
gentoo 1
rocky 1
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2023:2225-1)
2023-05-18 00:00:00
Slackware: Security Advisory (SSA:2023-137-01)
2023-05-18 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:2227-1)
2023-05-18 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : curl (SUSE-SU-2023:2224-1)
2023-05-18 00:00:00
openSUSE 15 Security Update : curl (SUSE-SU-2023:2224-2)
2023-06-22 00:00:00
FreeBSD : curl -- multiple vulnerabilities (a4f8bb03-f52f-11ed-9859-080027083a05)
2023-05-19 00:00:00
slackware
slackware
[slackware-security] curl
2023-05-17 21:00:11
redos
redos
ROS-20230621-04
2023-06-21 00:00:00
ibm
ibm
Security Bulletin: IBM MaaS360 Cloud Extender Agent, Configuration Utility, Certificate, and Base Module affected by multiple vulnerabilities (CVE-2023-28322, CVE-2023-28320, CVE-2023-28319, CVE-2023-28321)
2023-10-02 16:16:07
Security Bulletin: Multiple vulnerabilities in Curl affect PowerSC
2023-09-25 20:08:28
Security Bulletin: Multiple vulnerabilities in libcURL affect IBM Rational ClearCase.
2024-03-01 07:00:05
freebsd
freebsd
curl -- multiple vulnerabilities
2023-03-21 00:00:00
amazon
amazon
Medium: curl
2023-08-31 22:29:00
redhat
redhat
(RHSA-2023:4354) Moderate: curl security update
2023-08-01 07:58:15
(RHSA-2023:5598) Moderate: curl security update
2023-10-10 14:20:03
(RHSA-2023:4629) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update
2023-08-15 17:35:29
osv
osv
Moderate: curl security update
2023-08-01 00:00:00
curl vulnerabilities
2023-07-19 12:11:55
curl regression
2023-07-19 17:34:44
photon
photon
Important Photon OS Security Update - PHSA-2023-3.0-0589
2023-05-31 00:00:00
Moderate Photon OS Security Update - PHSA-2022-0176
2022-04-30 00:00:00
Moderate Photon OS Security Update - PHSA-2022-0388
2022-04-30 00:00:00
fedora
fedora
[SECURITY] Fedora 38 Update: curl-8.0.1-2.fc38
2023-06-07 02:15:37
[SECURITY] Fedora 37 Update: curl-7.85.0-9.fc37
2023-06-08 02:00:39
oraclelinux
oraclelinux
curl security update
2023-08-02 00:00:00
curl security update
2023-08-10 00:00:00
almalinux
almalinux
Moderate: curl security update
2023-08-01 00:00:00
Moderate: curl security update
2023-08-08 00:00:00
cloudfoundry
cloudfoundry
USN-6237-2: curl regression | Cloud Foundry
2023-08-10 00:00:00
USN-6237-1: curl vulnerabilities | Cloud Foundry
2024-03-18 00:00:00
ubuntu
ubuntu
curl vulnerabilities
2023-07-19 00:00:00
curl regression
2023-07-19 00:00:00
curl vulnerabilities
2023-09-11 00:00:00
mageia
mageia
Updated curl packages fix security vulnerability
2023-09-25 01:16:18
cbl_mariner
cbl_mariner
CVE-2023-28320 affecting package cmake 3.21.4-10
2024-03-19 17:21:46
CVE-2023-28319 affecting package tensorflow 2.11.1-1
2024-04-17 22:02:46
CVE-2023-28320 affecting package tensorflow 2.11.1-1
2024-04-17 22:02:46
veracode
veracode
Information Disclosure
2023-06-04 09:13:01
Denial Of Service (DoS)
2023-06-04 09:58:21
Information Disclosure
2022-04-30 16:23:47
prion
prion
Design/Logic Flaw
2023-05-26 21:15:00
Denial of service
2023-05-26 21:15:00
Design/Logic Flaw
2022-06-02 14:15:00
debiancve
debiancve
CVE-2023-28319
2023-05-26 21:15:10
CVE-2023-28320
2023-05-26 21:15:15
CVE-2022-27774
2022-06-02 14:15:00
alpinelinux
alpinelinux
CVE-2023-28319
2023-05-26 21:15:10
CVE-2023-28320
2023-05-26 21:15:15
CVE-2023-28322
2023-05-26 21:15:16
redhatcve
redhatcve
CVE-2023-28319
2023-05-17 09:27:50
CVE-2023-28320
2023-05-17 09:27:59
CVE-2023-28322
2023-05-17 09:28:10
ubuntucve
ubuntucve
CVE-2023-28319
2023-05-17 00:00:00
CVE-2022-27774
2022-04-27 00:00:00
CVE-2023-28320
2023-05-17 00:00:00
hackerone
hackerone
Internet Bug Bounty: CVE-2023-28320 - siglongjmp race condition
2023-05-17 08:16:02
curl: CVE-2023-28319: UAF in SSH sha256 fingerprint check
2023-03-21 12:05:28
Internet Bug Bounty: CVE-2023-28319: UAF in SSH sha256 fingerprint check
2023-05-23 08:38:55
cve
cve
CVE-2023-28319
2023-05-26 21:15:10
CVE-2023-28320
2023-05-26 21:15:15
CVE-2023-28322
2023-05-26 21:15:16
debian
debian
[SECURITY] [DLA 3613-1] curl security update
2023-10-11 11:49:02
[SECURITY] [DSA 5365-1] curl security update
2023-02-27 22:00:09
[SECURITY] [DLA 3692-1] curl security update
2023-12-22 14:27:56
gentoo
gentoo
curl: Multiple Vulnerabilities
2023-10-11 00:00:00
rocky
rocky
curl security update
2023-10-06 23:10:01
JSON
Related for SUSE_SU-2023-2225-1.NASL
openvas30nessus44slackware1redos1ibm13freebsd1amazon1redhat8osv13photon3fedora2oraclelinux2almalinux2cloudfoundry2ubuntu3mageia1cbl_mariner19veracode6prion5debiancve5alpinelinux5redhatcve5ubuntucve5hackerone12cve5debian3gentoo1rocky1