ID CVE-2016-7167
Summary Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
References
Vulnerable Configurations
  • cpe:2.3:o:fedoraproject:fedora:25
    cpe:2.3:o:fedoraproject:fedora:25
  • Fedora Project Fedora 23
    cpe:2.3:o:fedoraproject:fedora:23
  • Fedora 24
    cpe:2.3:o:fedoraproject:fedora:24
  • Haxx libcurl 7.50.2
    cpe:2.3:a:haxx:libcurl:7.50.2
CVSS
Base: 7.5 (as of 07-10-2016 - 12:35)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_12_2.NASL
    description The remote host is running a version of macOS that is 10.12.x prior to 10.12.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - AppleGraphicsPowerManagement - Assets - Audio - Bluetooth - CoreCapture - CoreFoundation - CoreGraphics - CoreMedia External Displays - CoreMedia Playback - CoreStorage - CoreText - curl - Directory Services - Disk Images - FontParser - Foundation - Grapher - ICU - ImageIO - Intel Graphics Driver - IOFireWireFamily - IOAcceleratorFamily - IOHIDFamily - IOKit - IOSurface - Kernel - kext tools - libarchive - LibreSSL - OpenLDAP - OpenPAM - OpenSSL - Power Management - Security - syslog - WiFi - xar Note that successful exploitation of the most serious issues can result in arbitrary code execution. Furthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin does not check those versions.
    last seen 2017-10-29
    modified 2017-07-17
    plugin id 95917
    published 2016-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95917
    title macOS 10.12.x < 10.12.2 Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-47.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-47 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers and bug reports referenced for details. Impact : Remote attackers could conduct a Man-in-the-Middle attack to obtain sensitive information, cause a Denial of Service condition, or execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2017-01-20
    plugin id 96644
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96644
    title GLSA-201701-47 : cURL: Multiple vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170801_CURL_ON_SL7_X.NASL
    description Security Fix(es) : - Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. (CVE-2016-7167)
    last seen 2017-10-29
    modified 2017-08-22
    plugin id 102639
    published 2017-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102639
    title Scientific Linux Security Update : curl on SL7.x x86_64
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1036.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.(CVE-2016-7167) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE -2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV E-2016-8623,CVE-2016-8624) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-05-04
    plugin id 99881
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99881
    title EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1036)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1035.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.(CVE-2016-7167) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE -2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV E-2016-8623,CVE-2016-8624) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-05-04
    plugin id 99880
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99880
    title EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1035)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2016.NASL
    description An update for curl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. (CVE-2016-7167) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2017-10-29
    modified 2017-08-25
    plugin id 102750
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102750
    title CentOS 7 : curl (CESA-2017:2016)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2016.NASL
    description An update for curl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. (CVE-2016-7167) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2017-10-29
    modified 2017-08-03
    plugin id 102111
    published 2017-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102111
    title RHEL 7 : curl (RHSA-2017:2016)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2016.NASL
    description From Red Hat Security Advisory 2017:2016 : An update for curl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. (CVE-2016-7167) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2017-10-29
    modified 2017-08-09
    plugin id 102295
    published 2017-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102295
    title Oracle Linux 7 : curl (ELSA-2017-2016)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3123-1.NASL
    description It was discovered that curl incorrectly reused client certificates when built with NSS. A remote attacker could possibly use this issue to hijack the authentication of a TLS connection. (CVE-2016-7141) Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain strings. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7167) It was discovered that curl incorrectly handled storing cookies. A remote attacker could possibly use this issue to inject cookies for arbitrary domains in the cookie jar. (CVE-2016-8615) It was discovered that curl incorrect handled case when comparing user names and passwords. A remote attacker with knowledge of a case-insensitive version of the correct password could possibly use this issue to cause a connection to be reused. (CVE-2016-8616) It was discovered that curl incorrect handled memory when encoding to base64. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8617) It was discovered that curl incorrect handled memory when preparing formatted output. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8618) It was discovered that curl incorrect handled memory when performing Kerberos authentication. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8619) Luat Nguyen discovered that curl incorrectly handled parsing globs. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8620) Luat Nguyen discovered that curl incorrectly handled converting dates. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service. (CVE-2016-8621) It was discovered that curl incorrectly handled URL percent-encoding decoding. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-8622) It was discovered that curl incorrectly handled shared cookies. A remote server could possibly obtain incorrect cookies or other sensitive information. (CVE-2016-8623) Fernando Munoz discovered that curl incorrect parsed certain URLs. A remote attacker could possibly use this issue to trick curl into connecting to a different host. (CVE-2016-8624). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 94574
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94574
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : curl vulnerabilities (USN-3123-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2714-1.NASL
    description This update for curl fixes the following security issues : - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 94572
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94572
    title SUSE SLES11 Security Update : curl (SUSE-SU-2016:2714-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-80F4F71EFF.NASL
    description - reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 93883
    published 2016-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93883
    title Fedora 23 : curl (2016-80f4f71eff)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_B018121B7A4B11E6BF52B499BAEBFEAF.NASL
    description The cURL project reports The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into.
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 93498
    published 2016-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93498
    title FreeBSD : cURL -- Escape and unescape integer overflows (b018121b-7a4b-11e6-bf52-b499baebfeaf)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-625.NASL
    description It was discovered that the four four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape accepted negative sting length inputs. For Debian 7 'Wheezy', these problems have been fixed in version 7.26.0-1+wheezy16. We recommend that you upgrade your curl packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-06
    plugin id 93565
    published 2016-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93565
    title Debian DLA-625-1 : curl security update
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-259-01.NASL
    description New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 93535
    published 2016-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93535
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : curl (SSA:2016-259-01)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-7A2ED52D41.NASL
    description - reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 93551
    published 2016-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93551
    title Fedora 24 : curl (2016-7a2ed52d41)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2699-1.NASL
    description This update for curl fixes the following security issues : - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 94506
    published 2016-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94506
    title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2016:2699-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1280.NASL
    description This update for curl fixes the following security issues : - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2017-10-29
    modified 2016-11-14
    plugin id 94752
    published 2016-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94752
    title openSUSE Security Update : curl (openSUSE-2016-1280)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-08533FC59C.NASL
    description - reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-11-15
    plugin id 94770
    published 2016-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94770
    title Fedora 25 : curl (2016-08533fc59c)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-742.NASL
    description After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection.
    last seen 2017-10-29
    modified 2016-10-17
    plugin id 93743
    published 2016-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93743
    title Amazon Linux AMI : curl (ALAS-2016-742)
redhat via4
advisories
bugzilla
id 1420327
title CURL 7.29 cannot connect to FTPS using proxytunnel
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment curl is earlier than 0:7.29.0-42.el7
        oval oval:com.redhat.rhsa:tst:20172016009
      • comment curl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918011
    • AND
      • comment libcurl is earlier than 0:7.29.0-42.el7
        oval oval:com.redhat.rhsa:tst:20172016007
      • comment libcurl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918015
    • AND
      • comment libcurl-devel is earlier than 0:7.29.0-42.el7
        oval oval:com.redhat.rhsa:tst:20172016005
      • comment libcurl-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918013
rhsa
id RHSA-2017:2016
released 2017-08-01
severity Moderate
title RHSA-2017:2016: curl security, bug fix, and enhancement update (Moderate)
rpms
  • curl-0:7.29.0-42.el7
  • libcurl-0:7.29.0-42.el7
  • libcurl-devel-0:7.29.0-42.el7
refmap via4
bid 92975
confirm https://curl.haxx.se/docs/adv_20160914.html
fedora
  • FEDORA-2016-08533fc59c
  • FEDORA-2016-7a2ed52d41
  • FEDORA-2016-80f4f71eff
gentoo GLSA-201701-47
sectrack 1036813
slackware SSA:2016-259-01
Last major update 11-10-2016 - 08:17
Published 07-10-2016 - 10:59
Last modified 30-06-2017 - 21:30
Back to Top