CVE-2022-43552: A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies…

[CRITICAL] Siemens SINEC NMS Third-Party ICS Advisory ## Siemens SINEC NMS Third-Party Release DateMay 11, 2023 Alert CodeICSA-23-131-05 As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). ## 1. EXECUTIVE SUMMARY - CVSS v3 9.8 - ATTENTION: Exploitable remotely/low attack complexity - Vendor: Siemens - Equipment: Third-party components libexpat and libcurl in SINEC NMS - Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Tran

CVE-2023-28180 [MEDIUM] CVE-2023-28180: macOS Ventura 13.3 Apple Security Update: About the security content of macOS Ventura 13.3 Product: macOS Ventura Version: 13.3 CVE: CVE-2023-28180 Component: CVE-2022-43552 Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A memory initialization issue was addressed.

CVE-2023-27953 [MEDIUM] CVE-2023-27953: macOS Ventura 13.3 Apple Security Update: About the security content of macOS Ventura 13.3 Product: macOS Ventura Version: 13.3 CVE: CVE-2023-27953 Component: CVE-2022-43552 Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A memory initialization issue was addressed.

CVE-2023-27934 [MEDIUM] CVE-2023-27934: macOS Ventura 13.3 Apple Security Update: About the security content of macOS Ventura 13.3 Product: macOS Ventura Version: 13.3 CVE: CVE-2023-27934 Component: CVE-2022-43552 Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A memory initialization issue was addressed.

CVE-2022-43552 [MEDIUM] CVE-2022-43552: macOS Ventura 13.3 Apple Security Update: About the security content of macOS Ventura 13.3 Product: macOS Ventura Version: 13.3 CVE: CVE-2022-43552 Component: CVE-2022-43552 Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A memory initialization issue was addressed.

CVE-2023-27935 [MEDIUM] CVE-2023-27935: macOS Ventura 13.3 Apple Security Update: About the security content of macOS Ventura 13.3 Product: macOS Ventura Version: 13.3 CVE: CVE-2023-27935 Component: CVE-2022-43552 Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A memory initialization issue was addressed.

CVE-2023-27958 [MEDIUM] CVE-2023-27958: macOS Ventura 13.3 Apple Security Update: About the security content of macOS Ventura 13.3 Product: macOS Ventura Version: 13.3 CVE: CVE-2023-27958 Component: CVE-2022-43552 Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A memory initialization issue was addressed.

CVE-2021-22925 [LOW] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Harry Sintonen and Tomas Hoger discovered that curl incorrectly handled TELNET connections when the -t option was used on the command line. Uninitialized data possibly containing sensitive information could be sent to the remote server, contrary to expectations. This issue was only fixed in Ubuntu 14.04 ESM. (CVE-2021-22898, CVE-2021-22925) It was discovered that curl incorrectly handled denials when using HTTP proxies. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-43552) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2022-43552 [MEDIUM] CWE-416 A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operati A use after free vulnerability exists in curl What is the curl open-source project? Curl is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client for URL". The Windows implementation provides access to the command-line tool, not the library. What version of curl addresses this CVE? Curl version 7.87.0 addresses this vulnerability. Where can I find more information about this curl vulnerability? More information can be found at NVD and curl.se Are there any workarounds that can be implemented? Preventing the execution of curl.exe is a workaround to be considered Use a WDAC policy to deny execution of the \system32\curl.exe executable. You can merge the deny into an existing po

CVE-2022-43551 [HIGH] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Hiroki Kurosawa discovered that curl incorrectly handled HSTS support when certain hostnames included IDN characters. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-43551) It was discovered that curl incorrectly handled denials when using HTTP proxies. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-43552) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2022-43552 [MEDIUM] CWE-416 curl: Use-after-free triggered by an HTTP proxy deny response curl: Use-after-free triggered by an HTTP proxy deny response A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. A vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a heap-allocated struct after it has been freed and

CVE-2022-43552 [MEDIUM] CVE-2022-43552: curl - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tun... A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. Scope: local bookworm: resolved (fixed in 7.86.0-3) bullseye: resolved (fixed in 7.74.0-1.3+deb11u5) forky: resolved (fixed in 7.86.0-3) sid: resolved (fixed in 7.86.0-3) trixie: resolved (fixed in 7.86.0-3)

CVE-2021-22898 [LOW] curl vulnerabilities curl vulnerabilities Harry Sintonen and Tomas Hoger discovered that curl incorrectly handled TELNET connections when the -t option was used on the command line. Uninitialized data possibly containing sensitive information could be sent to the remote server, contrary to expectations. This issue was only fixed in Ubuntu 14.04 ESM. (CVE-2021-22898, CVE-2021-22925) It was discovered that curl incorrectly handled denials when using HTTP proxies. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-43552)

CVE-2022-43552 [MEDIUM] CVE-2022-43552: A use after free vulnerability exists in curl <7 A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

CVE-2022-43552 [HIGH] CWE-416 GHSA-6342-4x32-pp8v: A use after free vulnerability exists in curl <7 A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

CVE-2022-43551 [HIGH] curl vulnerabilities curl vulnerabilities Hiroki Kurosawa discovered that curl incorrectly handled HSTS support when certain hostnames included IDN characters. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-43551) It was discovered that curl incorrectly handled denials when using HTTP proxies. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-43552)

Securing open-source infrastructure with OSTIF The Open Source Technology Improvement Fund (OSTIF) counters an often overlooked challenge in the open-source world: the same software projects that uphold today’s internet infrastructure are reliant on, in OSTIF’s words, a “surprisingly small group of people with a limited amount of time” for all development, testing, and maintenance. This scarcity of contributor time in the open-source community is a well-known problem, and it renders the internet’s critical infrastructure vulnerable. To quote OSTIF, “because of the lack of a profit motive, core open-source projects are woefully underfunded and their resources are lacking. This leaves crucial Internet infrastructure susceptible to bugs, poor documentation, poor performance, slow release schedules, and even espionage.” We couldn’t agree

Securing open-source infrastructure with OSTIF The Open Source Technology Improvement Fund (OSTIF) counters an often overlooked challenge in the open-source world: the same software projects that uphold today’s internet infrastructure are reliant on, in OSTIF’s words, a “surprisingly small group of people with a limited amount of time” for all development, testing, and maintenance. This scarcity of contributor time in the open-source community is a well-known problem, and it renders the internet’s critical infrastructure vulnerable. To quote OSTIF, “because of the lack of a profit motive, core open-source projects are woefully underfunded and their resources are lacking. This leaves crucial Internet infrastructure susceptible to bugs, poor documentation, poor performance, slow release schedules, and even espionage.” We couldn’t agree

CVE-2022-42915 [HIGH] cURL audit: How a joke led to significant findings In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. The project coincided with a Trail of Bits maker week, which meant that we had more manpower than we usually do, allowing us to take a nonstandard approach to the audit. curl AAAAAAAAAA… CVE-2022-42915 – Double free when using HTTP proxy with specific protocols. Fixed in cURL 7.86.0 CVE-2022-43552 – Use-after-free when HTTP proxy denies tunneling SMB/TELNET protocols. Fixed in cURL 7.87.0 TOB-CURL-10 – Use-after-free while using parallel option and sequences. Fixed in cURL 7.86.0 TOB-CURL-11 – Unused memory blocks are not freed, resulting in memory leaks. Fixed in cURL 7.87.0 ## Working with cURL curl-fuzzer AddressSanitizer main() argc

[HIGH] cURL audit: How a joke led to significant findings In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. The project coincided with a Trail of Bits maker week, which meant that we had more manpower than we usually do, allowing us to take a nonstandard approach to the audit. While discussing the threat model of the application, one of our team members jokingly asked, “Have we tried `curl AAAAAAAAAA…` yet”? Although the comment was made in jest, it sparked an idea: we should fuzz cURL’s command-line interface (CLI). Once we did so, the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect

[MEDIUM] How to share what you’ve learned from our audits Trail of Bits recently completed a security review of cURL, which is an amazing and ubiquitous tool for transferring data. We were really thrilled to see cURL founder and lead developer Daniel Stenberg write a blog post about the engagement and the report, and wanted to highlight some important things he pointed out. In this post, Daniel dives into cURL’s growth since its last audit in 2016: the project; the codebase; and then into the work with Trail of Bits. He touched on both the engagement experience and the final report. His blog post provides terrific and meaningful context. He gives us high praise, as well as actionable and meaningful critiques that our teams are considering for the future. He also highlights an area in which he disagrees with a finding, providing context on why,

[MEDIUM] How to share what you’ve learned from our audits Trail of Bits recently completed a security review of cURL , which is an amazing and ubiquitous tool for transferring data. We were really thrilled to see cURL founder and lead developer Daniel Stenberg write a blog post about the engagement and the report , and wanted to highlight some important things he pointed out. In this post, Daniel dives into cURL’s growth since its last audit in 2016: the project; the codebase; and then into the work with Trail of Bits. He touched on both the engagement experience and the final report. His blog post provides terrific and meaningful context. He gives us high praise, as well as actionable and meaningful critiques that our teams are considering for the future. He also highlights an area in which he disagrees with a finding, providing context on why

CVE-2022-43552 [MEDIUM] CVE-2022-43552: HTTP Proxy deny use-after-free CVE-2022-43552: HTTP Proxy deny use-after-free Issue(s) reported by Trail of Bits. This is either one or two issues. ## Summary: `./src/curl 0 -x0:80 telnet:/[j-u][j-u]//0 -m 01` `./src/curl 0 -x0:80 smb:/[j-u][j-u]//0 -m 01` Both command line ends up having libcurl access and use already freed heap-memory. For read and write. ## Steps To Reproduce: See above, run with valgrind for full report. I have a local HTTP server on localhost host port 80 that will send back a 502 on the CONNECT requests curl issues to it for these protocols. ## Supporting Material/References: See logs. ## Impact Use after free stuff.