ID CVE-2017-2628
Summary curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
References
Vulnerable Configurations
  • Haxx Curl 7.19.7
    cpe:2.3:a:haxx:curl:7.19.7
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0847.NASL
    description An update for curl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) This issue was discovered by Paulo Andrade (Red Hat).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99335
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99335
    title RHEL 6 : curl (RHSA-2017:0847)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170329_CURL_ON_SL6_X.NASL
    description Security Fix(es) : - It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 99229
    published 2017-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99229
    title Scientific Linux Security Update : curl on SL6.x i386/x86_64
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0059.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - treat Negotiate authentication as connection-oriented (CVE-2017-2628) - fix a bug in DNS caching code that causes a memory leak (#1302893) - SSH: make CURLOPT_SSH_PUBLIC_KEYFILE treat '' as NULL (#1260742) - use the default min/max TLS version provided by NSS (#1289205) - prevent NSS from incorrectly re-using a session (#1269660) - prevent test46 from failing due to expired cookie (#1277551) - SSH: do not require public key file for user authentication (#1260742) - make SCP/SFTP work with --proxytunnel (#1258566)
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 99113
    published 2017-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99113
    title OracleVM 3.3 / 3.4 : curl (OVMSA-2017-0059)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0847.NASL
    description From Red Hat Security Advisory 2017:0847 : An update for curl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. (CVE-2017-2628) This issue was discovered by Paulo Andrade (Red Hat).
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 99075
    published 2017-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99075
    title Oracle Linux 6 : curl (ELSA-2017-0847)
redhat via4
advisories
bugzilla
id 1422464
title CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment curl is earlier than 0:7.19.7-53.el6_9
        oval oval:com.redhat.rhsa:tst:20170847009
      • comment curl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918016
    • AND
      • comment libcurl is earlier than 0:7.19.7-53.el6_9
        oval oval:com.redhat.rhsa:tst:20170847007
      • comment libcurl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918020
    • AND
      • comment libcurl-devel is earlier than 0:7.19.7-53.el6_9
        oval oval:com.redhat.rhsa:tst:20170847005
      • comment libcurl-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918018
rhsa
id RHSA-2017:0847
released 2017-03-29
severity Moderate
title RHSA-2017:0847: curl security update (Moderate)
rpms
  • curl-0:7.19.7-53.el6_9
  • libcurl-0:7.19.7-53.el6_9
  • libcurl-devel-0:7.19.7-53.el6_9
refmap via4
bid 97187
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1422464
Last major update 12-03-2018 - 11:29
Published 12-03-2018 - 11:29
Last modified 04-04-2019 - 12:54
Back to Top