ID CVE-2016-5421
Summary Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
References
Vulnerable Configurations
  • openSUSE Leap 42.1
    cpe:2.3:o:opensuse:leap:42.1
  • Haxx libcurl 7.50.0
    cpe:2.3:a:haxx:libcurl:7.50.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
CVSS
Base: 7.5 (as of 23-01-2017 - 16:32)
Impact:
Exploitability:
CWE CWE-416
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-24316F1F56.NASL
    description - fix re-using connections with wrong client cert (CVE-2016-5420) - fix TLS session resumption client cert bypass (CVE-2016-5419) - fix use of connection struct after free (CVE-2016-5421) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92767
    published 2016-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92767
    title Fedora 24 : curl (2016-24316f1f56)
  • NASL family Misc.
    NASL id LCE_4_8_1.NASL
    description The version of Tenable Log Correlation Engine (LCE) installed on the remote host is prior to 4.8.1. It is, therefore, affected by the following vulnerabilities : - Multiple cross-site scripting (XSS) vulnerabilities exist in the Handlebars library in the lib/handlebars/utils.js script due to a failure to properly escape input passed as unquoted attributes to templates. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2015-8861, CVE-2015-8862) - A heap-based buffer overflow condition exists in the Perl-Compatible Regular Expressions (PCRE) component that is triggered when processing nested back references in a duplicate named group. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1283) - An out-of-bounds read error exists in the libxml2 component in parserInternals.c due to improper parsing of characters in an XML file. An unauthenticated, remote attacker can exploit this to disclose sensitive information or cause a denial of service condition. (CVE-2016-1833) - An overflow condition exists in the libxml2 component in xmlstring.c due to improper validation of user-supplied input when handling a string with NULL. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1834) - Multiple use-after-free errors exist in the libxml2 component in parser.c that is triggered when parsing complex names. An unauthenticated, remote attacker can exploit these issues, via a specially crafted file, to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1835, CVE-2016-1836) - Multiple heap-based buffer overflow conditions exist in the libxml2 component in HTMLparser.c and xmlregexp.c due to improper validation of user-supplied input when parsing characters in a range. An unauthenticated, remote attacker can exploit these issues, via a specially crafted file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1837, CVE-2016-1839, CVE-2016-1840) - Multiple out-of-bounds read errors exist in the libxml2 component in parser.c. An unauthenticated, remote attacker can exploit these issues to disclose sensitive information or cause a denial of service condition. (CVE-2016-1838, CVE-2016-4447) - A heap buffer overflow condition exists in the OpenSSL component in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the OpenSSL component in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - A remote code execution vulnerability exists in the OpenSSL component in the ASN.1 encoder due to an underflow condition that occurs when attempting to encode the value zero represented as a negative integer. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2016-2108) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) - An overflow condition exists in the Perl-Compatible Regular Expressions (PCRE) component due to improper validation of user-supplied input when handling the (*ACCEPT) verb. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-3191) - A flaw exists in the libxml2 component in parser.c that occurs when handling XML content in recovery mode. An unauthenticated, remote attacker can exploit this to cause a stack exhaustion, resulting in a denial of service condition. (CVE-2016-3627) - A flaw exists in the libxml2 component in parser.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a stack exhaustion, resulting in a denial of service condition. (CVE-2016-3705) - A format string flaw exists in the libxml2 component due to improper use of string format specifiers (e.g. %s and %x). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4448) - An XML external entity injection vulnerability exists in parser.c due to improper parsing of XML data. An unauthenticated, remote attacker can exploit this, via specially crafted XML data, to disclose arbitrary files or cause a denial of service condition. (CVE-2016-4449) - An out-of-bounds read error exists in the libxml2 component in xmlsave.c that occurs when handling XML content in recovery mode. An unauthenticated, remote attacker can exploit this to disclose sensitive information or cause a denial of service condition. (CVE-2016-4483) - A security bypass vulnerability exists in the libcurl component due to the program attempting to resume TLS sessions even if the client certificate fails. An unauthenticated, remote attacker can exploit this to bypass validation mechanisms. (CVE-2016-5419) - An information disclosure vulnerability exists in the libcurl component due to the program reusing TLS connections with different client certificates. An unauthenticated, remote attacker can exploit this to disclose sensitive cross-realm information. (CVE-2016-5420) - A use-after-free error exists in the libcurl component that is triggered as connection pointers are not properly cleared for easy handles. An unauthenticated, remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code. (CVE-2016-5421) - Multiple stored cross-site scripting (XSS) vulnerabilities exist due to improper validation of user-supplied input. An authenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browsers session. (CVE-2016-9261)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 97893
    published 2017-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97893
    title Tenable Log Correlation Engine (LCE) < 4.8.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2330-1.NASL
    description This update for curl fixes the following issues: Security issues fixed : - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed : - fixing a performance issue (bsc#991746) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93591
    published 2016-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93591
    title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2016:2330-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-8354BAAE0F.NASL
    description - fix re-using connections with wrong client cert (CVE-2016-5420) - fix TLS session resumption client cert bypass (CVE-2016-5419) - fix use of connection struct after free (CVE-2016-5421) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92990
    published 2016-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92990
    title Fedora 23 : curl (2016-8354baae0f)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-730.NASL
    description curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. (CVE-2016-5419) curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-5420) libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. (CVE-2016-5421)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 93008
    published 2016-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93008
    title Amazon Linux AMI : curl (ALAS-2016-730)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1043.NASL
    description This update for curl fixes the following issues : - fixing a performance regression with FTP (boo#991746) - TLS session resumption client cert bypass (boo#991389, CVE-2016-5419) - Re-using connections with wrong client cert (boo#991390, CVE-2016-5420) - use of connection struct after free (boo#991391, CVE-2016-5421)
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 93334
    published 2016-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93334
    title openSUSE Security Update : curl (openSUSE-2016-1043)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1124.NASL
    description This update for curl fixes the following issues : Security issues fixed : - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed : - fixing a performance issue (bsc#991746) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 93708
    published 2016-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93708
    title openSUSE Security Update : curl (openSUSE-2016-1124)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_E4BC70FC5A2F11E6A1BC589CFC0654E1.NASL
    description Curl security team reports : CVE-2016-5419 - TLS session resumption client cert bypass CVE-2016-5420 - Re-using connections with wrong client cert CVE-2016-5421 - use of connection struct after free
    last seen 2018-12-20
    modified 2018-12-19
    plugin id 92742
    published 2016-08-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92742
    title FreeBSD : Vulnerabilities in Curl (e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3048-1.NASL
    description Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. (CVE-2016-5419) It was discovered that curl incorrectly handled client certificates when reusing TLS connections. (CVE-2016-5420) Marcelo Echeverria and Fernando Munoz discovered that curl incorrectly reused a connection struct, contrary to expectations. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5421). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 92815
    published 2016-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92815
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : curl vulnerabilities (USN-3048-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_12_2.NASL
    description The remote host is running a version of macOS that is 10.12.x prior to 10.12.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - AppleGraphicsPowerManagement - Assets - Audio - Bluetooth - CoreCapture - CoreFoundation - CoreGraphics - CoreMedia External Displays - CoreMedia Playback - CoreStorage - CoreText - curl - Directory Services - Disk Images - FontParser - Foundation - Grapher - ICU - ImageIO - Intel Graphics Driver - IOFireWireFamily - IOAcceleratorFamily - IOHIDFamily - IOKit - IOSurface - Kernel - kext tools - libarchive - LibreSSL - OpenLDAP - OpenPAM - OpenSSL - Power Management - Security - syslog - WiFi - xar Note that successful exploitation of the most serious issues can result in arbitrary code execution. Furthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin does not check those versions.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 95917
    published 2016-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95917
    title macOS 10.12.x < 10.12.2 Multiple Vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-219-01.NASL
    description New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2016-10-19
    plugin id 92758
    published 2016-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92758
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : curl (SSA:2016-219-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3638.NASL
    description Several vulnerabilities were discovered in cURL, an URL transfer library : - CVE-2016-5419 Bru Rom discovered that libcurl would attempt to resume a TLS session even if the client certificate had changed. - CVE-2016-5420 It was discovered that libcurl did not consider client certificates when reusing TLS connections. - CVE-2016-5421 Marcelo Echeverria and Fernando Munoz discovered that libcurl was vulnerable to a use-after-free flaw.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92730
    published 2016-08-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92730
    title Debian DSA-3638-1 : curl - security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-47.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-47 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers and bug reports referenced for details. Impact : Remote attackers could conduct a Man-in-the-Middle attack to obtain sensitive information, cause a Denial of Service condition, or execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-01-20
    plugin id 96644
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96644
    title GLSA-201701-47 : cURL: Multiple vulnerabilities
  • NASL family Misc.
    NASL id ORACLE_SECURE_GLOBAL_DESKTOP_APR_2017_CPU.NASL
    description