Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0062 Multiple vulnerabilities have been identified in cURL 18 June 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: curl Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-3237 CVE-2015-3236 Member content until: Saturday, July 18 2015 OVERVIEW Multiple vulnerabilities have been identified in cURL versions between 7.40.0 inclusive and 7.43.0. [1] IMPACT The following details have been provided regarding the vulnerabilities: CVE-2015-3236: "libcurl can wrongly send HTTP credentials when re-using connections. libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPT_USERPWD for example. Name and password. Just like all other libcurl options the credentials are sticky and are kept associated with the "handle" until something is made to change the situation. Further, libcurl offers a curl_easy_reset() function that resets a handle back to its pristine state in terms of all settable options. A reset is of course also supposed to clear the credentials. A reset is typically used to clear up the handle and prepare it for a new, possibly unrelated, transfer. Within such a handle, libcurl can also store a set of previous connections in case a second transfer is requested to a host name for which an existing connection is already kept alive. With this flaw present, using the handle even after a reset would make libcurl accidentally use those credentials in a subseqent request if done to the same host name and connection as was previously accessed. An example case would be first requesting a password protected resource from one section of a web site, and then do a second request of a public resource from a completely different part of the site without authentication. This flaw would then inadvertently leak the credentials in the second request." [2] CVE-2015-3237: "libcurl can get tricked by a malicious SMB server to send off data it did not intend to. In libcurl's state machine function handling the SMB protocol (smb_request_state()), two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to figure out what data range to send back. The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handicrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory." [3] MITIGATION Users are advised to upgrade cURL to version 7.43.0. [1-3] REFERENCES [1] cURL -- Multiple Vulnerability http://www.vuxml.org/freebsd/2438d4af-1538-11e5-a106-3c970e169bc2.html [2] lingering HTTP credentials in connection re-use http://curl.haxx.se/docs/adv_20150617A.html [3] SMB send off unrelated memory contents http://curl.haxx.se/docs/adv_20150617B.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVYJIz36ZAP0PgtI9AQLAIw//e28qYRaKweCS64N3EbtVYwvxePozLI0M +X14HXvGvMZ9e3ILMpw41oxKu78V1Q20QIB7tWDDzaun4mxtr/LXO+hedRUGZhyy 1VOqc9y3dMe8nc3qcGLBKrQ3XELUVs9wc8UVeJa3WPQ1XZ408mNguGj6O00+Pald Nk+NO4YRqx7a/ihGxclVajDA0emaqUHcr3uamxTFleey1mkyu66jyGBUBOsZa/y3 +YwU0eRmvr/tX69k5wJQzaL1bEo0up4CRWpfdvpHkGmbaGaoFxH6Jez1d9D03Qpf yWC4bXbdVgwYVbXYGx6oqe4iAGV0TuoFaGsjFLneBEf1+LAysg84Pb3cSznnXIs0 3ZawZY2E1XFkyp8Gc85w91ms8bxWfOE7oIab2DVsZ0hGSWXi9ZUrdg9pc+kPKEgb kPtyhQRJki3PLwK3Z1RdhjymlxEn57Ema99xK+TyPIUbtLSIx5lqAL3c54QcVJxb ji08+DWgrzP0pCwHwyoZnD0XCUniaBoAJ7Dgec4qHnmgE/r/y41jAqRw28PcoJB3 1I9Pmm7Yv/DJGSC7aP1/j+Ruht7sYRUxlt6skSS/G9ptU5GobE9oJZvBVI2eu/fl WuhhYSiLU5iaWpVBDDEchLqR54dLuWRQkVzIMUhpt7FKWOIm8u2yCBsgzXEB/Pjc ylC2Nba01LA= =VUrT -----END PGP SIGNATURE-----