libcurl 7.9.1 < 8.4.0 Cookie Injection

2023-10-1100:00:00

www.tenable.com

159

libcurl

cookie injection

vulnerability

api

curl_easy_duphandle

transfers

nessus

scanner

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

35.6%

JSON

The version of libcurl installed on the remote host is affected by a cookie injection vulnerability. This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates ‘easy handles’ that are the individual handles for single transfers.

libcurl provides a function call that duplicates an easy handle called curl_easy_duphandle.

If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(182873);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/08");

  script_cve_id("CVE-2023-38546");
  script_xref(name:"CEA-ID", value:"CEA-2023-0052");
  script_xref(name:"IAVA", value:"2023-A-0531-S");

  script_name(english:"libcurl 7.9.1 < 8.4.0 Cookie Injection");

  script_set_attribute(attribute:"synopsis", value:
"The remote libcurl install is affected by a cookie injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of libcurl installed on the remote host is affected by a cookie injection vulnerability. This flaw allows
an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are
met.

libcurl performs transfers. In its API, an application creates 'easy handles' that are the individual handles for single
transfers.

libcurl provides a function call that duplicates an easy handle called curl_easy_duphandle.

If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without
cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned
version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently
load cookies from a file named none - if such a file exists and is readable in the current directory of the program
using libcurl. And if using the correct file format of course.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://curl.se/docs/CVE-2023-38546.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade libcurl to version 8.4.0 or later");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-38546");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:haxx:libcurl");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("libcurl_nix_installed.nbin");
  script_require_keys("installed_sw/libcurl");

  exit(0);
}

include('vcf.inc');

var win_local;
if (!empty_or_null(get_kb_item('SMB/Registry/Enumerated')))
  win_local = TRUE;
else
  win_local = FALSE;

var app_info = vcf::get_app_info(app:'libcurl', win_local:win_local);
vcf::check_all_backporting(app_info:app_info);
var constraints = [{'min_version': '7.9.1', 'max_version': '8.3.0', 'fixed_version' : '8.4.0' }];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);