CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.3%
According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). (CVE-2022-22576)
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
(CVE-2022-27774)
An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. (CVE-2022-27775)
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. (CVE-2022-27776)
libcurl provides the CURLOPT_CERTINFO
option to allow applications torequest details to be returned about a server’s certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
(CVE-2022-27781)
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. (CVE-2022-27782)
curl < 7.84.0 supports ‘chained’ HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable ‘links’ in this ‘decompression chain’ was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a ‘malloc bomb’, makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. (CVE-2022-32206)
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended. (CVE-2022-32207)
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly.
This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. (CVE-2022-32208)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(165381);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/11");
script_cve_id(
"CVE-2022-22576",
"CVE-2022-27774",
"CVE-2022-27775",
"CVE-2022-27776",
"CVE-2022-27781",
"CVE-2022-27782",
"CVE-2022-32206",
"CVE-2022-32207",
"CVE-2022-32208"
);
script_xref(name:"IAVA", value:"2022-A-0224-S");
script_xref(name:"IAVA", value:"2022-A-0255-S");
script_xref(name:"CEA-ID", value:"CEA-2022-0026");
script_name(english:"EulerOS Virtualization 2.9.1 : curl (EulerOS-SA-2022-2341)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is
affected by the following vulnerabilities :
- An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow
reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated
with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S),
IMAP(S), POP3(S) and LDAP(S) (openldap only). (CVE-2022-22576)
- An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are
affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with
authentication could leak credentials to other services that exist on different protocols or port numbers.
(CVE-2022-27774)
- An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an
IPv6 address that was in the connection pool but with a different zone id it could reuse a connection
instead. (CVE-2022-27775)
- A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or
cookie header data on HTTP redirects to the same host but another port number. (CVE-2022-27776)
- libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned
about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl
built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
(CVE-2022-27781)
- libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed
that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for
subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were
left out from the configuration match checks, making themmatch too easily. (CVE-2022-27782)
- curl < 7.84.0 supports 'chained' HTTP compression algorithms, meaning that a serverresponse can be
compressed multiple times and potentially with different algorithms. The number of acceptable 'links' in
this 'decompression chain' was unbounded, allowing a malicious server to insert a virtually unlimited
number of compression steps.The use of such a decompression chain could result in a 'malloc bomb',
makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of
memory errors. (CVE-2022-32206)
- When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by
finalizing the operation with a rename from a temporary name to the final target file name.In that rename
operation, it might accidentally *widen* the permissions for the target file, leaving the updated file
accessible to more users than intended. (CVE-2022-32207)
- When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly.
This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject
data to the client. (CVE-2022-32208)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-2341
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1959bf2a");
script_set_attribute(attribute:"solution", value:
"Update the affected curl packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-32207");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/28");
script_set_attribute(attribute:"patch_publication_date", value:"2022/09/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:curl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libcurl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.9.1");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.9.1") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.9.1");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
var flag = 0;
var pkgs = [
"curl-7.69.1-2.h15.eulerosv2r9",
"libcurl-7.69.1-2.h15.eulerosv2r9"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
www.nessus.org/u?1959bf2a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.3%