9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.881 High
EPSS
Percentile
98.7%
Several vulnerabilities were discovered in cURL, an URL transfer library :
CVE-2015-3143 NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user. This is similar to the issue fixed in DSA-2849-1.
CVE-2015-3144 When parsing URLs with a zero-length hostname (such as ‘http://:80’), libcurl would try to read from an invalid memory address. This could allow remote attackers to cause a denial of service (crash). This issue only affects the upcoming stable (jessie) and unstable (sid) distributions.
CVE-2015-3145 When parsing HTTP cookies, if the parsed cookie’s ‘path’ element consists of a single double-quote, libcurl would try to write to an invalid heap memory address. This could allow remote attackers to cause a denial of service (crash). This issue only affects the upcoming stable (jessie) and unstable (sid) distributions.
CVE-2015-3148 When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-3232. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(83003);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_cve_id("CVE-2015-3143", "CVE-2015-3144", "CVE-2015-3145", "CVE-2015-3148");
script_xref(name:"DSA", value:"3232");
script_name(english:"Debian DSA-3232-1 : curl - security update");
script_summary(english:"Checks dpkg output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"Several vulnerabilities were discovered in cURL, an URL transfer
library :
- CVE-2015-3143
NTLM-authenticated connections could be wrongly reused
for requests without any credentials set, leading to
HTTP requests being sent over the connection
authenticated as a different user. This is similar to
the issue fixed in DSA-2849-1.
- CVE-2015-3144
When parsing URLs with a zero-length hostname (such as
'http://:80'), libcurl would try to read from an invalid
memory address. This could allow remote attackers to
cause a denial of service (crash). This issue only
affects the upcoming stable (jessie) and unstable (sid)
distributions.
- CVE-2015-3145
When parsing HTTP cookies, if the parsed cookie's 'path'
element consists of a single double-quote, libcurl would
try to write to an invalid heap memory address. This
could allow remote attackers to cause a denial of
service (crash). This issue only affects the upcoming
stable (jessie) and unstable (sid) distributions.
- CVE-2015-3148
When doing HTTP requests using the Negotiate
authentication method along with NTLM, the connection
used would not be marked as authenticated, making it
possible to reuse it and send requests for one user over
the connection authenticated as a different user."
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2015-3143"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2015-3144"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2015-3145"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2015-3148"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/wheezy/curl"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.debian.org/security/2015/dsa-3232"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade the curl packages.
For the stable distribution (wheezy), these problems have been fixed
in version 7.26.0-1+wheezy13.
For the upcoming stable distribution (jessie), these problems have
been fixed in version 7.38.0-4+deb8u1."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:curl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
script_set_attribute(attribute:"patch_publication_date", value:"2015/04/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/23");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"7.0", prefix:"curl", reference:"7.26.0-1+wheezy13")) flag++;
if (deb_check(release:"7.0", prefix:"libcurl3", reference:"7.26.0-1+wheezy13")) flag++;
if (deb_check(release:"7.0", prefix:"libcurl3-dbg", reference:"7.26.0-1+wheezy13")) flag++;
if (deb_check(release:"7.0", prefix:"libcurl3-gnutls", reference:"7.26.0-1+wheezy13")) flag++;
if (deb_check(release:"7.0", prefix:"libcurl3-nss", reference:"7.26.0-1+wheezy13")) flag++;
if (deb_check(release:"7.0", prefix:"libcurl4-gnutls-dev", reference:"7.26.0-1+wheezy13")) flag++;
if (deb_check(release:"7.0", prefix:"libcurl4-nss-dev", reference:"7.26.0-1+wheezy13")) flag++;
if (deb_check(release:"7.0", prefix:"libcurl4-openssl-dev", reference:"7.26.0-1+wheezy13")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | curl | p-cpe:/a:debian:debian_linux:curl |
debian | debian_linux | 7.0 | cpe:/o:debian:debian_linux:7.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3143
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3144
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3148
packages.debian.org/source/wheezy/curl
security-tracker.debian.org/tracker/CVE-2015-3143
security-tracker.debian.org/tracker/CVE-2015-3144
security-tracker.debian.org/tracker/CVE-2015-3145
security-tracker.debian.org/tracker/CVE-2015-3148
www.debian.org/security/2015/dsa-3232