ESB-2018.2229 - [Juniper] cURL: Multiple vulnerabilities 2018-08-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2229
         Multiple vulnerabilities in cURL affect Juniper Junos OS
                               1 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           cURL
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000122 CVE-2018-1000121 CVE-2018-1000120
                   CVE-2018-1000007 CVE-2018-1000005 CVE-2017-1000257
                   CVE-2017-1000254 CVE-2017-1000101 CVE-2017-1000100
                   CVE-2017-1000099 CVE-2017-9502 CVE-2017-8818
                   CVE-2017-8817 CVE-2017-8816 CVE-2017-7407
                   CVE-2016-9953 CVE-2016-9952 CVE-2016-9586
                   CVE-2016-8625 CVE-2016-8624 CVE-2016-8623
                   CVE-2016-8622 CVE-2016-8621 CVE-2016-8620
                   CVE-2016-8619 CVE-2016-8618 CVE-2016-8617
                   CVE-2016-8616 CVE-2016-8615 CVE-2016-7167
                   CVE-2016-7141 CVE-2016-5421 CVE-2016-5420
                   CVE-2016-5419 CVE-2016-4802 CVE-2016-3739
                   CVE-2016-0755 CVE-2016-0754 CVE-2015-3153
                   CVE-2015-3148 CVE-2015-3143 CVE-2014-8150
                   CVE-2014-3707 CVE-2014-3613 CVE-2014-0139
                   CVE-2014-0138 CVE-2014-0015 CVE-2013-6422
                   CVE-2013-4545 CVE-2013-2174 CVE-2013-1944
                   CVE-2000-0973  

Reference:         ASB-2017.0164
                   ASB-2017.0058
                   ASB-2017.0001
                   ASB-2016.0101
                   ASB-2016.0087
                   ASB-2016.0078

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10874&actp=RSS

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-07 Security Bulletin: Junos OS: cURL: Multiple vulnerabilities in multiple
cURL versions

Categories:    o Junos                    Article ID:        JSA10874
               o Router Products
               o M Series                 Last Updated:      31 Jul 2018
               o T Series
               o MX-series                Version:           3.0
               o Security Products
               o Switch Products
               o EX Series
               o SRX Series
               o QFX Series
                 See more...
               o NFX Series
               o PTX Series
               o Security Advisories
               o ACX Series
                 Hide this content

Product Affected:
Junos OS
Problem:
Multiple vulnerabilities in cURL and libcurl have been resolved in Junos OS.

RISK LEVEL: CRITICAL CVSSv2 10.0, CVSSv3 9.8:
Junos OS 12.3R uses cURL 7.24 and has been upgraded to cURL 7.59.0 which may be
impacted by:
CVE-2000-0973, CVE-2013-1944, CVE-2013-2174, CVE-2013-4545, CVE-2013-6422,
CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2014-3613, CVE-2014-3707,
CVE-2014-8150, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2016-0754,
CVE-2016-0755, CVE-2016-3739, CVE-2016-4802, CVE-2016-5419, CVE-2016-5420,
CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617,
CVE-2016-8618, CVE-2016-8619, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623,
CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000254
, CVE-2017-1000257, CVE-2017-7407, CVE-2017-8817, CVE-2018-1000007,
CVE-2018-1000120, CVE-2018-1000121 and CVE-2018-1000122.

RISK LEVEL: CRITICAL CVSSv2 10.0, CVSSv3 9.8:
Junos OS 12.1X46, 12.3X48, and Junos OS 13.1R through 17.3R release trains uses
cURL 7.43 and has been upgraded to cURL 7.59.0 which may be affected by:
CVE-2000-0973, CVE-2013-1944, CVE-2014-8150, CVE-2016-0754, CVE-2016-0755,
CVE-2016-3739, CVE-2016-4802, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421,
CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617,
CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622,
CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2016-9952,
CVE-2016-9953, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254,
CVE-2017-1000257, CVE-2017-7407, CVE-2017-8816, CVE-2017-8817, CVE-2018-1000007
, CVE-2018-1000120, CVE-2018-1000121 and CVE-2018-1000122.

RISK LEVEL: CRITICAL CVSSv3 9.8:
Subsequent releases of Junos OS 17.4R1 and onward uses cURL 7.54 and has been
upgraded to cURL 7.59.0 which may be affected by:
CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254,
CVE-2017-1000257, CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2017-9502,
CVE-2018-1000005, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121,
CVE-2018-1000122

Affected releases are Juniper Networks Junos OS:
12.1X46 versions prior to 12.1X46-D77 on SRX Series;
12.3 versions prior to 12.3R12-S10 on EX Series;
12.3X48 versions prior to 12.3X48-D70 on SRX Series;
12.3X54 versions prior to 12.3X54-D34 on ACX Series;
14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200,
EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;
14.1X53 versions prior to 14.1X53-D130 on QFabric System;
15.1 versions prior to 15.1F6-S11, 15.1R4-S9, 15.1R7-S1, 15.1R8;
15.1X49 versions prior to 15.1X49-D140 on SRX Series;
15.1X53 versions prior to 15.1X53-D67 on QFX10000 Series;
15.1X53 versions prior to 15.1X53-D234 on QFX5110, QFX5200;
15.1X53 versions prior to 15.1X53-D471 on NFX 150, NFX 250;
15.1X54 versions prior to 15.1X54-D70 on ACX Series;
16.1 versions prior to 16.1R4-S10, 16.1R6-S4, 16.1R7;
16.2 versions prior to 16.2R1-S7, 16.2R2-S6, 16.2R3;
17.1 versions prior to 17.1R2-S7, 17.1R3;
17.2 versions prior to 17.2R1-S6, 17.2R2-S5, 17.2R3;
17.2X75 versions prior to 17.2X75-D100;
17.3 versions prior to 17.3R2-S2, 17.3R3;
17.4 versions prior to 17.4R1-S4, 17.4R2;
18.1 versions prior to 18.1R1-S1, 18.1R2;
18.2X75 versions prior to 18.2X75-D10.

Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.
Additional details on the vulnerabilities is also available at the cURL website
located at https://curl.haxx.se/docs/security.html
Further details for REST API configuration, cURL, and related components can be
found in the URLs section of this advisory.

Important security issues resolved as a result of these upgrades include:


                  CVSS
      CVE          v2                           Summary
                  base
                 score
                 10.0
                 (AV:N/ Buffer overflow in curl earlier than 6.0-1.1, and
                 AC:L/  curl-ssl earlier than 6.0-1.2, allows remote attackers
CVE-2000-0973    Au:N/  to execute arbitrary commands by forcing a long error
                 C:C/   message to be generated.
                 I:C/
                 A:C)
                 7.5
                 (AV:N/ Use-after-free vulnerability in libcurl before 7.50.1
                 AC:L/  allows attackers to control which connection is used or
CVE-2016-5421    Au:N/  possibly have unspecified other impact via unknown
                 C:P/   vectors.
                 I:P/
                 A:P)
                 7.5    Multiple integer overflows in the (1) curl_escape, (2)
                 (AV:N/ curl_easy_escape, (3) curl_unescape, and (4)
                 AC:L/  curl_easy_unescape functions in libcurl before 7.50.3
CVE-2016-7167    Au:N/  allow attackers to have unspecified impact via a string
                 C:P/   of length 0xffffffff, which triggers a heap-based
                 I:P/   buffer overflow.
                 A:P)
                 7.5    The verify_certificate function in lib/vtls/schannel.c
                 (AV:N/ in libcurl 7.30.0 through 7.51.0, when built for
                 AC:L/  Windows CE using the schannel TLS backend, allows
CVE-2016-9953    Au:N/  remote attackers to obtain sensitive information, cause
                 C:P/   a denial of service (crash), or possibly have
                 I:P/   unspecified other impact via a wildcard certificate
                 A:P)   name, which triggers an out-of-bounds read.
                 7.5    The NTLM authentication feature in curl and libcurl
                 (AV:N/ before 7.57.0 on 32-bit platforms allows attackers to
                 AC:L/  cause a denial of service (integer overflow and
CVE-2017-8816    Au:N/  resultant buffer overflow, and application crash) or
                 C:P/   possibly have unspecified other impact via vectors
                 I:P/   involving long user and password fields.
                 A:P)
                 7.5
                 (AV:N/ The FTP wildcard function in curl and libcurl before
                 AC:L/  7.57.0 allows remote attackers to cause a denial of
CVE-2017-8817    Au:N/  service (out-of-bounds read and application crash) or
                 C:P/   possibly have unspecified other impact via a string
                 I:P/   that ends with an '[' character.
                 A:P)
                 7.5    curl and libcurl before 7.57.0 on 32-bit platforms
                 (AV:N/ allow attackers to cause a denial of service
                 AC:L/  (out-of-bounds access and application crash) or
CVE-2017-8818    Au:N/  possibly have unspecified other impact because too
                 C:P/   little memory is allocated for interfacing to an SSL
                 I:P/   library.
                 A:P)
                 7.5
                 (AV:N/ A buffer overflow exists in curl 7.12.3 to and
                 AC:L/  including curl 7.58.0 in the FTP URL handling that
CVE-2018-1000120 Au:N/  allows an attacker to cause a denial of service or
                 C:P/   worse.
                 I:P/
                 A:P)
                 6.9    Multiple untrusted search path vulnerabilities in cURL
                 (AV:L/ and libcurl before 7.49.1, when built with SSPI or
                 AC:M/  telnet is enabled, allow local users to execute
CVE-2016-4802    Au:N/  arbitrary code and conduct DLL hijacking attacks via a
                 C:C/   Trojan horse (1) security.dll, (2) secur32.dll, or (3)
                 I:C/   ws2_32.dll in the application or current working
                 A:C)   directory.
                 6.8    Heap-based buffer overflow in the curl_easy_unescape
                 (AV:N/ function in lib/escape.c in cURL and libcurl 7.7
                 AC:M/  through 7.30.0 allows remote attackers to cause a
CVE-2013-2174    Au:N/  denial of service (application crash) or possibly
                 C:P/   execute arbitrary code via a crafted string ending in a
                 I:P/   "%" (percent) character.
                 A:P)
                 6.8    curl before version 7.52.0 is vulnerable to a buffer
                 (AV:N/ overflow when doing a large floating point output in
                 AC:M/  libcurl's implementation of the printf() functions. If
CVE-2016-9586    Au:N/  there are any application that accepts a format string
                 C:P/   from the outside without necessary input filtering, it
                 I:P/   could allow remote attacks.
                 A:P)
                 6.8    The verify_certificate function in lib/vtls/schannel.c
                 (AV:N/ in libcurl 7.30.0 through 7.51.0, when built for
                 AC:M/  Windows CE using the schannel TLS backend, makes it
CVE-2016-9952    Au:N/  easier for remote attackers to conduct
                 C:P/   man-in-the-middle attacks via a crafted wildcard SAN in
                 I:P/   a server certificate, as demonstrated by "*.com."
                 A:P)
                 6.4    The default configuration in cURL and libcurl 7.10.6
                 (AV:N/ before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4)
                 AC:L/  POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9)
CVE-2014-0138    Au:N/  LDAP, and (10) LDAPS connections, which might allow
                 C:P/   context-dependent attackers to connect as other users
                 I:P/   via a request, a similar issue to CVE-2014-0015.
                 A:N)
                        An IMAP FETCH response line indicates the size of the
                        returned data, in number of bytes. When that response
                 6.4    says the data is zero bytes, libcurl would pass on that
                 (AV:N/ (non-existing) data with a pointer and the size (zero)
                 AC:L/  to the deliver-data function. libcurl's deliver-data
CVE-2017-1000257 Au:N/  function treats zero as a magic number and invokes
                 C:P/   strlen() on the data to figure out the length. The
                 I:N/   strlen() is called on a heap based buffer that might
                 A:P)   not be zero terminated so libcurl might read beyond the
                        end of it into whatever memory lies after (or just
                        crash) and then deliver that to the application as if
                        it was actually downloaded.
                        libcurl 7.49.0 to and including 7.57.0 contains an out
                        bounds read in code handling HTTP/2 trailers. It was
                        reported (https://github.com/curl/curl/pull/2231) that
                        reading an HTTP/2 trailer could mess up future trailers
                 6.4    since the stored size was one byte less than required.
                 (AV:N/ The problem is that the code that creates HTTP/1-like
                 AC:L/  headers from the HTTP/2 trailer data once appended a
CVE-2018-1000005 Au:N/  string like `:` to the target buffer, while this was
                 C:P/   recently changed to `: ` (a space was added after the
                 I:N/   colon) but the following math wasn't updated
                 A:P)   correspondingly. When accessed, the data is read out of
                        bounds and causes either a crash or that the (too
                        large) data gets passed to client write. This could
                        lead to a denial-of-service situation or an information
                        disclosure if someone has a service that echoes back or
                        uses the trailers for something.
                 6.4
                 (AV:N/ A buffer over-read exists in curl 7.20.0 to and
                 AC:L/  including curl 7.58.0 in the RTSP+RTP handling code
CVE-2018-1000122 Au:N/  that allows an attacker to cause a denial of service or
                 C:P/   information leakage
                 I:N/
                 A:P)
                 5.8    cURL and libcurl 7.1 before 7.36.0, when using the
                 (AV:N/ OpenSSL, axtls, qsossl or gskit libraries for TLS,
                 AC:M/  recognize a wildcard IP address in the subject's Common
CVE-2014-0139    Au:N/  Name (CN) field of an X.509 certificate, which might
                 C:P/   allow man-in-the-middle attackers to spoof arbitrary
                 I:P/   SSL servers via a crafted certificate issued by a
                 A:N)   legitimate Certification Authority.
                 5.0
                 (AV:N/ The tailMatch function in cookie.c in cURL and libcurl
                 AC:L/  before 7.30.0 does not properly match the path domain
CVE-2013-1944    Au:N/  when sending cookies, which allows remote attackers to
                 C:P/   steal cookies via a matching suffix in the domain of a
                 I:N/   URL.
                 A:N)
                 5.0
                 (AV:N/ cURL and libcurl before 7.38.0 does not properly handle
                 AC:L/  IP addresses in cookie domain names, which allows
CVE-2014-3613    Au:N/  remote attackers to set cookies for or send arbitrary
                 C:N/   cookies to certain sites, as demonstrated by a site at
                 I:P/   192.168.0.1 setting cookies for a site at 127.168.0.1.
                 A:N)
                 5.0
                 (AV:N/ cURL and libcurl 7.10.6 through 7.41.0 does not
                 AC:L/  properly re-use NTLM connections, which allows remote
CVE-2015-3143    Au:N/  attackers to connect as other users via an
                 C:N/   unauthenticated request, a similar issue to
                 I:P/   CVE-2014-0015.
                 A:N)
                 5.0
                 (AV:N/ cURL and libcurl 7.10.6 through 7.41.0 do not properly
                 AC:L/  re-use authenticated Negotiate connections, which
CVE-2015-3148    Au:N/  allows remote attackers to connect as other users via a
                 C:N/   request.
                 I:P/
                 A:N)
                 5.0
                 (AV:N/ The default configuration for cURL and libcurl before
                 AC:L/  7.42.1 sends custom HTTP headers to both the proxy and
CVE-2015-3153    Au:N/  destination server, which might allow remote proxy
                 C:P/   servers to obtain sensitive information by reading the
                 I:N/   header contents.
                 A:N)
                 5.0
                 (AV:N/
                 AC:L/  cURL before 7.47.0 on Windows allows attackers to write
CVE-2016-0754    Au:N/  to arbitrary files in the current working directory on
                 C:N/   a different drive via a colon in a remote file name.
                 I:P/
                 A:N)
                 5.0
                 (AV:N/ The ConnectionExists function in lib/url.c in libcurl
                 AC:L/  before 7.47.0 does not properly re-use
CVE-2016-0755    Au:N/  NTLM-authenticated proxy connections, which might allow
                 C:N/   remote attackers to authenticate as other users via a
                 I:P/   request, a similar issue to CVE-2014-0015.
                 A:N)
                 5.0
                 (AV:N/ curl and libcurl before 7.50.1 do not prevent TLS
                 AC:L/  session resumption when the client certificate has
CVE-2016-5419    Au:N/  changed, which allows remote attackers to bypass
                 C:P/   intended restrictions by resuming a session.
                 I:N/
                 A:N)
                 5.0    curl and libcurl before 7.50.1 do not check the client
                 (AV:N/ certificate when choosing the TLS connection to reuse,
                 AC:L/  which might allow remote attackers to hijack the
CVE-2016-5420    Au:N/  authentication of the connection by leveraging a
                 C:N/   previously created connection with a different client
                 I:P/   certificate.
                 A:N)
                 5.0    curl and libcurl before 7.50.2, when built with NSS and
                 (AV:N/ the libnsspem.so library is available at runtime, allow
                 AC:L/  remote attackers to hijack the authentication of a TLS
CVE-2016-7141    Au:N/  connection by leveraging reuse of a previously loaded
                 C:N/   client certificate from file for a connection for which
                 I:P/   no certificate has been set, a different vulnerability
                 A:N)   than CVE-2016-5420.
                        libcurl may read outside of a heap allocated buffer
                        when doing FTP. When libcurl connects to an FTP server
                        and successfully logs in (anonymous or not), it asks
                        the server for the current directory with the `PWD`
                        command. The server then responds with a 257 response
                        containing the path, inside double quotes. The returned
                        path name is then kept by libcurl for subsequent uses.
                        Due to a flaw in the string parser for this directory
                        name, a directory name passed like this but without a
                        closing double quote would lead to libcurl not adding a
                 5.0    trailing NUL byte to the buffer holding the name. When
                 (AV:N/ libcurl would then later access the string, it could
                 AC:L/  read beyond the allocated heap buffer and crash or
CVE-2017-1000254 Au:N/  wrongly access data beyond the buffer, thinking it was
                 C:N/   part of the path. A malicious server could abuse this
                 I:N/   fact and effectively prevent libcurl-based clients to
                 A:P)   work with it - the PWD command is always issued on new
                        FTP connections and the mistake has a high chance of
                        causing a segfault. The simple fact that this has issue
                        remained undiscovered for this long could suggest that
                        malformed PWD responses are rare in benign servers. We
                        are not aware of any exploit of this flaw. This bug was
                        introduced in commit [415d2e7cb7](https://github.com/
                        curl/curl/commit/415d2e7cb7), March 2005. In libcurl
                        version 7.56.0, the parser always zero terminates the
                        string but also rejects it if not terminated properly
                        with a final double quote.
                        In curl before 7.54.1 on Windows and DOS, libcurl's
                        default protocol function, which is the logic that
                        allows an application to set which protocol libcurl
                 5.0    should attempt to use when given a URL without a scheme
                 (AV:N/ part, had a flaw that could lead to it overwriting a
                 AC:L/  heap based memory buffer with seven bytes. If the
CVE-2017-9502    Au:N/  default protocol is specified to be FILE or a file: URL
                 C:N/   lacks two slashes, the given "URL" starts with a drive
                 I:N/   letter, and libcurl is built for Windows or DOS, then
                 A:P)   libcurl would copy the path 7 bytes off, so that the
                        end of the given path would write beyond the malloc
                        buffer (7 bytes being the length in bytes of the ascii
                        string "file://").
                        libcurl 7.1 through 7.57.0 might accidentally leak
                        authentication data to third parties. When asked to
                        send custom headers in its HTTP requests, libcurl will
                 5.0    send that set of headers first to the host in the
                 (AV:N/ initial URL but also, if asked to follow redirects and
                 AC:L/  a 30X HTTP response code is returned, to the host
CVE-2018-1000007 Au:N/  mentioned in URL in the `Location:` response header
                 C:P/   value. Sending the same set of headers to subsequest
                 I:N/   hosts is in particular a problem for applications that
                 A:N)   pass on custom `Authorization:` headers, as this header
                        often contains privacy sensitive information or data
                        that could allow others to impersonate the
                        libcurl-using client's request.
                 5.0
                 (AV:N/
                 AC:L/  A NULL pointer dereference exists in curl 7.21.0 to and
CVE-2018-1000121 Au:N/  including curl 7.58.0 in the LDAP code that allows an
                 C:N/   attacker to cause a denial of service
                 I:N/
                 A:P)
                 4.3    cURL and libcurl 7.18.0 through 7.32.0, when built with
                 (AV:N/ OpenSSL, disables the certificate CN and SAN name field
                 AC:M/  verification (CURLOPT_SSL_VERIFYHOST) when the digital
CVE-2013-4545    Au:N/  signature verification (CURLOPT_SSL_VERIFYPEER) is
                 C:N/   disabled, which allows man-in-the-middle attackers to
                 I:P/   spoof SSL servers via an arbitrary valid certificate.
                 A:N)
                 4.3    The curl_easy_duphandle function in libcurl 7.17.1
                 (AV:N/ through 7.38.0, when running with the
                 AC:M/  CURLOPT_COPYPOSTFIELDS option, does not properly copy
CVE-2014-3707    Au:N/  HTTP POST data for an easy handle, which triggers an
                 C:P/   out-of-bounds read that allows remote web servers to
                 I:N/   read sensitive memory information.
                 A:N)
                 4.3
                 (AV:N/ CRLF injection vulnerability in libcurl 6.0 through 7.x
                 AC:M/  before 7.40.0, when using an HTTP proxy, allows remote
CVE-2014-8150    Au:N/  attackers to inject arbitrary HTTP headers and conduct
                 C:N/   HTTP response splitting attacks via CRLF sequences in a
                 I:P/   URL.
                 A:N)
                        When asking to get a file from a file:// URL, libcurl
                 4.3    provides a feature that outputs meta-data about the
                 (AV:N/ file using HTTP-like headers. The code doing this would
                 AC:M/  send the wrong buffer to the user (stdout or the
CVE-2017-1000099 Au:N/  application's provide callback), which could lead to
                 C:P/   other private data from the heap to get inadvertently
                 I:N/   displayed. The wrong buffer was an uninitialized memory
                 A:N)   area allocated on the heap and if it turned out to not
                        contain any zero byte, it would continue and display
                        the data following that buffer in memory.
                        When doing a TFTP transfer and curl/libcurl is given a
                        URL that contains a very long file name (longer than
                        about 515 bytes), the file name is truncated to fit
                        within the buffer boundaries, but the buffer size is
                 4.3    still wrongly updated to use the untruncated length.
                 (AV:N/ This too large value is then used in the sendto() call,
                 AC:M/  making curl attempt to send more data than what is
CVE-2017-1000100 Au:N/  actually put into the buffer. The endto() function will
                 C:P/   then read beyond the end of the heap based buffer. A
                 I:N/   malicious HTTP(S) server could redirect a vulnerable
                 A:N)   libcurl-using client to a crafted TFTP URL (if the
                        client hasn't restricted which protocols it allows
                        redirects to) and trick it to send private memory
                        contents to a remote server over UDP. Limit curl's
                        redirect protocols with --proto-redir and libcurl's
                        with CURLOPT_REDIR_PROTOCOLS.
                        curl supports "globbing" of URLs, in which a user can
                        pass a numerical range to have the tool iterate over
                 4.3    those numbers to do a sequence of transfers. In the
                 (AV:N/ globbing function that parses the numerical range,
                 AC:M/  there was an omission that made curl read a byte beyond
CVE-2017-1000101 Au:N/  the end of the URL if given a carefully crafted, or
                 C:P/   just wrongly written, URL. The URL is stored in a heap
                 I:N/   based buffer, so it could then be made to wrongly read
                 A:N)   something else instead of crashing. An example of a URL
                        that triggers the flaw would be `http://ur%20
                        [0-60000000000000000000`.
                 4.0    The GnuTLS backend in libcurl 7.21.4 through 7.33.0,
                 (AV:N/ when disabling digital signature verification
                 AC:H/  (CURLOPT_SSL_VERIFYPEER), also disables the
CVE-2013-6422    Au:N/  CURLOPT_SSL_VERIFYHOST check for CN or SAN host name
                 C:P/   fields, which makes it easier for remote attackers to
                 I:P/   spoof servers and conduct man-in-the-middle (MITM)
                 A:N)   attacks.
                 4.0
                 (AV:N/ cURL and libcurl 7.10.6 through 7.34.0, when more than
                 AC:H/  one authentication method is enabled, re-uses NTLM
CVE-2014-0015    Au:N/  connections, which might allow context-dependent
                 C:P/   attackers to authenticate as other users via a request.
                 I:P/
                 A:N)
                 2.6    The (1) mbed_connect_step1 function in lib/vtls/
                 (AV:N/ mbedtls.c and (2) polarssl_connect_step1 function in
                 AC:H/  lib/vtls/polarssl.c in cURL and libcurl before 7.49.0,
CVE-2016-3739    Au:N/  when using SSLv3 or making a TLS connection to a URL
                 C:N/   that uses a numerical IP address, allow remote
                 I:P/   attackers to spoof servers via an arbitrary valid
                 A:N)   certificate.
                 2.1    The ourWriteOut function in tool_writeout.c in curl
                 (AV:L/ 7.53.1 might allow physically proximate attackers to
                 AC:L/  obtain sensitive information from process memory in
CVE-2017-7407    Au:N/  opportunistic circumstances by reading a workstation
                 C:P/   screen during use of a --write-out argument ending in a
                 I:N/   '%' character, which leads to a heap-based buffer
                 A:N)   over-read.
CVE-2016-8615    -      details not found
CVE-2016-8616    -      details not found
CVE-2016-8617    -      details not found
CVE-2016-8618    -      details not found
CVE-2016-8619    -      details not found
CVE-2016-8620    -      details not found
CVE-2016-8621    -      details not found
CVE-2016-8622    -      details not found
CVE-2016-8623    -      details not found
CVE-2016-8624    -      details not found
CVE-2016-8625    -      details not found

Solution:
The following software releases have been updated to resolve this specific
issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D70, 12.3X54-D34, 14.1X53-D47,
14.1X53-D130*, 15.1F6-S11*, 15.1R4-S9, 15.1R7-S1, 15.1R8, 15.1X49-D140,
15.1X53-D67, 15.1X53-D234, 15.1X53-D471, 15.1X54-D70, 16.1R4-S10, 16.1R6-S4,
16.1R7, 16.2R1-S7, 16.2R2-S6, 16.2R3, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S5,
17.2R3, 17.2X75-D100, 17.3R2-S2, 17.3R3, 17.4R1-S4, 17.4R2, 18.1R1-S1*, 18.1R2,
18.2X75-D10, 18.2R1, and all subsequent releases.
*Pending Publication

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
This issue is being tracked as PR 1347361 which is visible on the Customer
Support website.

Workaround:
Actions which may reduce the risk of exploitation include:
Discontinue the use of cURL scripting.
Avoid using untrusted URLs to fetch updates or to import data into a Junos
device.
Discontinue the use of HTTP with REST APIs.
Utilize certificates and HTTPS with REST APIs.
Consider the use of SSL/TLS mutual authentication.
Limit the number of concurrent REST connections to a device to only the minimum
necessary number to perform the necessary goal, thereby potentially exposing
attackers or limiting the attack surface an attacker can target.
Utilize non-default REST HTTPS ports to obfuscate the use of REST APIs from
potential attackers.
Specify the set of ciphers the server can use to perform encryption and
decryption functions.
Lastly, utilizing common security BCPs to limit the exploitable surface by
limiting access to network and device to trusted systems, administrators,
networks and hosts.
Modification History:

2018-07-11: Initial Publication.
2018-07-31: modified Workaround section line to read: "Discontinue the use of cURL scripting" instead of "Discontinue the use of scripts".

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

  o KB16765: In which releases are vulnerabilities fixed?

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

  o CVE

  o https://curl.haxx.se/

  o https://curl.haxx.se/docs/security.html

  o https://www.juniper.net/documentation/en_US/junos/topics/concept/
    rest-api-overview.html

  o https://www.juniper.net/documentation/en_US/junos/information-products/
    pathway-pages/rest-api/rest-api.pdf

  o https://www.juniper.net/documentation/en_US/junos/topics/topic-map/
    junos-script-automation-libslax-default-extension-libraries.html

CVSS Score:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) and 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H
/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2EVFGaOgq3Tt24GAQhKAhAAoQaPzVub1AhLRh9lAkS+Qa1UUxDtXtTv
tK25pepRv98PLf9m/W33+CaHvPRfqRZpQIlVQ6e3KUTDp5uE8+tTQuz5RnhPG7Ek
h1484hGdjGjdwb8wlz7gRB4DXN8hu4V7fWRgN0ysjeDk5I0kYMB/c2dS0Tr4NjM3
4IW0JQdxjSJgayeDu/BbG1sUtwV2q/Piml/s8XEVMbJFC2pB1aKmOeiHie/M/toE
sDiLuTfOwvvop3GNd0gvAkvhenvKRxr1syXrKUsgzvuKexGH5jEY1p0tb5/ujQ9x
uOYrMQzveQyXAx/l5nRRAgfMsXBG/EQoDO/6plDkl5zlUlKmpMscW7yh3G0OnNNN
yk2abusCY4eZjN8w2qZr0oDpNup7cuRFlUnK6gOKtoZBzm0CPdjrib8uLJ1LqXqo
tx8IG2d7RV13zotvhgyd2lOT0SCs0/TpbSOu7HLeRrpiBwdxTzQWqve0xA+g1mcA
jbdWxyaJTaNFiK3HQy44TtTUf9crDW9OxFr43d86Q2H07t2G3kovqD4zF9/f1LAC
Jo5OhTAGye4/W3T6UiLPgvzKEJ7YHv5Pe2t/UYf2BG/32/tZdGA0Wh1shYX0dY/L
MA5YaNA48JNo76cwpgRdXRnpf7IsaWcTMLLJoJjSa4AYmaGa7QuFg+7oU9x6qSRd
vE/tdECn0sM=
=CTAH
-----END PGP SIGNATURE-----

« Back to bulletins