Ubuntu update for curl

1) Use of uninitialized variable

EUVDB-ID: #VU53587

Risk: Medium

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22898

CWE-ID: CWE-457 - Use of Uninitialized Variable

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.

Proof of concept:

curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)

Mitigation

Update the affected package curl to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

curl (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3 (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3-nss (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3-gnutls (Ubuntu package): before Ubuntu Pro (Infra-only)

External links

http://ubuntu.com/security/notices/USN-5894-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of Uninitialized Variable

EUVDB-ID: #VU55149

Risk: Medium

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22925

CWE-ID: CWE-457 - Use of Uninitialized Variable

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.

Mitigation

Update the affected package curl to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

curl (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3 (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3-nss (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3-gnutls (Ubuntu package): before Ubuntu Pro (Infra-only)

External links

http://ubuntu.com/security/notices/USN-5894-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU70456

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-43552

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error while processing denied requests from HTTP proxies when using SMB or TELNET protocols. A remote attacker can trigger a use-after-free error and crash the application.

Mitigation

Update the affected package curl to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

curl (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3 (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3-nss (Ubuntu package): before Ubuntu Pro (Infra-only)

libcurl3-gnutls (Ubuntu package): before Ubuntu Pro (Infra-only)

External links

http://ubuntu.com/security/notices/USN-5894-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.