08 February 2013
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0170 libcurl SASL buffer overflow vulnerability 8 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libcurl Operating System: Windows Mobile Device UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-0249 Original Bulletin: http://curl.haxx.se/docs/adv_20130206.html - --------------------------BEGIN INCLUDED TEXT-------------------- libcurl SASL buffer overflow vulnerability ========================================== Project cURL Security Advisory, February 6th 2013 http://curl.haxx.se/docs/security.html 1. VULNERABILITY libcurl is vulnerable to a buffer overflow vulnerability when communicating with one of the protocols POP3, SMTP or IMAP. When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack. This vulnerability can be exploited by someone who is in control of a server that a libcurl based program is accessing with POP3, SMTP or IMAP. For applications that accept user provided URLs, it is also thinkable that a malicious user would feed an application with a URL to a server hosting code targetting this flaw. This vulnerability can be used for remote code execution (RCE) on vulnerable systems. Both curl the command line tool and applications using the libcurl library are vulnerable. There is no known exploit for this problem. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-0249 to this issue. 2. AFFECTED VERSIONS Affected versions: curl 7.26.0 to and including 7.28.1 Not affected versions: curl < 7.26.0 and >= 7.29.0 Also note that libcurl is used by many applications, and not always advertised as such. 3. THE SOLUTION libcurl 7.29.0 implements proper bounds checking and will not overflow any buffers even if unrealistically long data chunks are received. 4. RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 7.29.0 B - Apply this patch and rebuild libcurl http://curl.haxx.se/curl-sasl.patch C - Rebuild curl with support for vulnerable protocols IMAP, POP3 and SMTP disabled. D - Disable the vulnerable protocols IMAP, POP3 and SMTP at run-time to forbid libcurl from using them. You can do this with the CURLOPT_PROTOCOLS option. 5. TIME LINE Vulnerability found and patched by Volema (http://volema.com/). It was reported to the curl project on January 30th 2013. curl 7.29.0 was released on February 6th 2013, coordinated with the publication of this flaw. 6. CREDITS Reported and fixed by Volema. Thanks a lot! - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBURR48u4yVqjM2NGpAQINURAAsujZJXIyEpuAULNufXycVd1LZiVNWVgQ qX43g1GeJoh1+rrUGnOcOM/WYUHRBx9M8h/e9lfeFAZzL6YJtLmbSLeIr7aOluXh fOEUF/9iWgtDelH31BH6oWyJVXnwI/SJjHI/9I9zfMj3jQGaAGyarIUYOe/3Z2Xf lBsvt7qee3WsSl1CFL7wkHa2r4+h9xM/XMKfAbYUqyS/n3kFdkV+LoO2MyyyBQgn ofE5DQbwVdA4OhIPvN1fEQDsSSQQc/SuJIB5K0vyT9d/lZglsk4foSUYZBeHb09s klKvamZDBYardS7hFIR4pFnsVxd8HGEybyGjyuMkAYSaR2Mi0AnE6X4AgfkSBy38 XIPre4bQ3zITqRyX701RB3892jQb+KlfM3mPHcFC2ZxhS9GBWexVt3QPPmkFd+wq RWcHMzJm8twgf25NSvVxoV755gSWy5dxhYEmI3akG9ntqjMiNPu6a8ZYHq5g+Bek cy7XfIDVQi3BKx5NfLNbreS7STDdDo2dH2pchfWacMRAh/KxzHXsa2RxUBy+6Acr HD6H8JIlvnNk6Tori5HnrwZluVmuds91Yrt/kHz7KnXE65FYRrFkql97YhriNpn/ ItTZKepesMVoJA/k3u/yQS2Vw2mphJnPaBCgaSKHP++kYlIvYsa/rI7H/lTtsQic sNzWes7GCXo= =RKq5 -----END PGP SIGNATURE-----