CVE-2022-42915: curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote…

[CRITICAL] Siemens SINEC NMS Third-Party ICS Advisory ## Siemens SINEC NMS Third-Party Release DateMay 11, 2023 Alert CodeICSA-23-131-05 As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). ## 1. EXECUTIVE SUMMARY - CVSS v3 9.8 - ATTENTION: Exploitable remotely/low attack complexity - Vendor: Siemens - Equipment: Third-party components libexpat and libcurl in SINEC NMS - Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Tran

CVE-2022-42915 [HIGH] CVE-2022-42915: macOS Ventura 13.2 Apple Security Update: About the security content of macOS Ventura 13.2 Product: macOS Ventura Version: 13.2 CVE: CVE-2022-42915 Component: CVE-2022-42915

CVE-2022-42915 [HIGH] CVE-2022-42915: macOS Monterey 12.6.3 Apple Security Update: About the security content of macOS Monterey 12.6.3 Product: macOS Monterey Version: 12.6.3 CVE: CVE-2022-42915 Component: CVE-2022-42915

CVE-2022-42915 [HIGH] Oracle Oracle Essbase Risk Matrix: Infrastructure (cURL) — CVE-2022-42915 Oracle Oracle Essbase Risk Matrix: Infrastructure (cURL) vulnerability CVE: CVE-2022-42915 CVSS: 7.2 Protocol: HTTP Remote exploit: No Affected versions: Network Advisory: cpujan2023 (JAN 2023)

CVE-2022-42915 [HIGH] CWE-415 curl: HTTP proxy double-free curl: HTTP proxy double-free curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. A vulnerability was found in curl. The issue occurs if curl is

CVE-2022-32221 [CRITICAL] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Robby Simpson discovered that curl incorrectly handled certain POST operations after PUT operations. This issue could cause applications using curl to send the wrong data, perform incorrect memory operations, or crash. (CVE-2022-32221) Hiroki Kurosawa discovered that curl incorrectly handled parsing .netrc files. If an attacker were able to provide a specially crafted .netrc file, this issue could cause curl to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10. (CVE-2022-35260) It was discovered that curl incorrectly handled certain HTTP proxy return codes. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbit

CVE-2022-42915 [HIGH] CWE-415 curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL it sets up the connection to the remote server by issuing a CONNECT request to the prox curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL it sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict gopher gophers ldap ldaps rtmp rtmps or telnet. The earliest affected version is 7.77.0. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore p

CVE-2022-42915 [HIGH] CVE-2022-42915: curl - curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a... curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. Scope: local bookworm: resolved (fixed in 7.86.0-1) bullseye: resolved forky: resolved (fixed

CVE-2022-42915 [CRITICAL] CWE-415 GHSA-98w6-hw73-ph8m: curl before 7 curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

CVE-2022-42915 [HIGH] CVE-2022-42915: curl before 7 curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

CVE-2022-32221 [CRITICAL] curl vulnerabilities curl vulnerabilities Robby Simpson discovered that curl incorrectly handled certain POST operations after PUT operations. This issue could cause applications using curl to send the wrong data, perform incorrect memory operations, or crash. (CVE-2022-32221) Hiroki Kurosawa discovered that curl incorrectly handled parsing .netrc files. If an attacker were able to provide a specially crafted .netrc file, this issue could cause curl to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10. (CVE-2022-35260) It was discovered that curl incorrectly handled certain HTTP proxy return codes. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubu

Securing open-source infrastructure with OSTIF The Open Source Technology Improvement Fund (OSTIF) counters an often overlooked challenge in the open-source world: the same software projects that uphold today’s internet infrastructure are reliant on, in OSTIF’s words, a “surprisingly small group of people with a limited amount of time” for all development, testing, and maintenance. This scarcity of contributor time in the open-source community is a well-known problem, and it renders the internet’s critical infrastructure vulnerable. To quote OSTIF, “because of the lack of a profit motive, core open-source projects are woefully underfunded and their resources are lacking. This leaves crucial Internet infrastructure susceptible to bugs, poor documentation, poor performance, slow release schedules, and even espionage.” We couldn’t agree

Securing open-source infrastructure with OSTIF The Open Source Technology Improvement Fund (OSTIF) counters an often overlooked challenge in the open-source world: the same software projects that uphold today’s internet infrastructure are reliant on, in OSTIF’s words, a “surprisingly small group of people with a limited amount of time” for all development, testing, and maintenance. This scarcity of contributor time in the open-source community is a well-known problem, and it renders the internet’s critical infrastructure vulnerable. To quote OSTIF, “because of the lack of a profit motive, core open-source projects are woefully underfunded and their resources are lacking. This leaves crucial Internet infrastructure susceptible to bugs, poor documentation, poor performance, slow release schedules, and even espionage.” We couldn’t agree

CVE-2022-42915 [HIGH] cURL audit: How a joke led to significant findings In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. The project coincided with a Trail of Bits maker week, which meant that we had more manpower than we usually do, allowing us to take a nonstandard approach to the audit. curl AAAAAAAAAA… CVE-2022-42915 – Double free when using HTTP proxy with specific protocols. Fixed in cURL 7.86.0 CVE-2022-43552 – Use-after-free when HTTP proxy denies tunneling SMB/TELNET protocols. Fixed in cURL 7.87.0 TOB-CURL-10 – Use-after-free while using parallel option and sequences. Fixed in cURL 7.86.0 TOB-CURL-11 – Unused memory blocks are not freed, resulting in memory leaks. Fixed in cURL 7.87.0 ## Working with cURL curl-fuzzer AddressSanitizer main() argc

[HIGH] cURL audit: How a joke led to significant findings In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. The project coincided with a Trail of Bits maker week, which meant that we had more manpower than we usually do, allowing us to take a nonstandard approach to the audit. While discussing the threat model of the application, one of our team members jokingly asked, “Have we tried `curl AAAAAAAAAA…` yet”? Although the comment was made in jest, it sparked an idea: we should fuzz cURL’s command-line interface (CLI). Once we did so, the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect

CVE-2022-42915 [HIGH] CVE-2022-42915: HTTP proxy double-free CVE-2022-42915: HTTP proxy double-free This is a finding that Trail of Bits found in their ongoing curl security audit. Reported at a status meeting today. ## Summary: curl frees memory twice in some cleanup function related to HTTP proxies. It as simple as `curl -x http://localhost:80 dict://127.0.0.1` Using valgrind on the current git master, it shows: ==55921== Memcheck, a memory error detector ==55921== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==55921== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==55921== Command: ./src/curl -x http://localhost:80 dict://127.0.0.1 ==55921== Parent PID: 3035 ==55921== ==55921== Invalid free() / delete / delete[] / realloc() ==55921== at 0x484617B: free (vg_replace_malloc.c:872) ==55921== by 0x152464: