The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5365 advisory.
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
(CVE-2022-27774)
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the chained HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable links in this decompression chain wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a malloc bomb, making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5365. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(172027);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/01");
script_cve_id("CVE-2022-27774", "CVE-2023-23916");
script_xref(name:"IAVA", value:"2023-A-0008-S");
script_name(english:"Debian DSA-5365-1 : curl - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5365 advisory.
- An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are
affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with
authentication could leak credentials to other services that exist on different protocols or port numbers.
(CVE-2022-27774)
- An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the
chained HTTP compression algorithms, meaning that a server response can be compressed multiple times and
potentially with differentalgorithms. The number of acceptable links in this decompression chain
wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a
virtually unlimited number of compression steps simply byusing many headers. The use of such a
decompression chain could result in a malloc bomb, making curl end up spending enormous amounts of
allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/curl");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5365");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-27774");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-23916");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/curl");
script_set_attribute(attribute:"solution", value:
"Upgrade the curl packages.
For the stable distribution (bullseye), this problem has been fixed in version 7.74.0-1.3+deb11u7.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-27774");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/28");
script_set_attribute(attribute:"patch_publication_date", value:"2023/02/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:curl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-gnutls");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl3-nss");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-nss-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '11.0', 'prefix': 'curl', 'reference': '7.74.0-1.3+deb11u7'},
{'release': '11.0', 'prefix': 'libcurl3-gnutls', 'reference': '7.74.0-1.3+deb11u7'},
{'release': '11.0', 'prefix': 'libcurl3-nss', 'reference': '7.74.0-1.3+deb11u7'},
{'release': '11.0', 'prefix': 'libcurl4', 'reference': '7.74.0-1.3+deb11u7'},
{'release': '11.0', 'prefix': 'libcurl4-doc', 'reference': '7.74.0-1.3+deb11u7'},
{'release': '11.0', 'prefix': 'libcurl4-gnutls-dev', 'reference': '7.74.0-1.3+deb11u7'},
{'release': '11.0', 'prefix': 'libcurl4-nss-dev', 'reference': '7.74.0-1.3+deb11u7'},
{'release': '11.0', 'prefix': 'libcurl4-openssl-dev', 'reference': '7.74.0-1.3+deb11u7'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'curl / libcurl3-gnutls / libcurl3-nss / libcurl4 / libcurl4-doc / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | curl | p-cpe:/a:debian:debian_linux:curl |
debian | debian_linux | libcurl3-gnutls | p-cpe:/a:debian:debian_linux:libcurl3-gnutls |
debian | debian_linux | libcurl3-nss | p-cpe:/a:debian:debian_linux:libcurl3-nss |
debian | debian_linux | libcurl4 | p-cpe:/a:debian:debian_linux:libcurl4 |
debian | debian_linux | libcurl4-doc | p-cpe:/a:debian:debian_linux:libcurl4-doc |
debian | debian_linux | libcurl4-gnutls-dev | p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev |
debian | debian_linux | libcurl4-nss-dev | p-cpe:/a:debian:debian_linux:libcurl4-nss-dev |
debian | debian_linux | libcurl4-openssl-dev | p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev |
debian | debian_linux | 11.0 | cpe:/o:debian:debian_linux:11.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916
packages.debian.org/source/bullseye/curl
security-tracker.debian.org/tracker/CVE-2022-27774
security-tracker.debian.org/tracker/CVE-2023-23916
security-tracker.debian.org/tracker/source-package/curl
www.debian.org/security/2023/dsa-5365