The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of cURL: privilege escalation via the use of proxy using NTLM authentication

Synthesis of the vulnerability 

An attacker can use cURL with an HTTP proxy and NTLM authentication with the proxy account of another user, in order to escalate his privileges.
Impacted software: SDS, SES, SNS, OpenOffice, Mac OS X, Brocade Network Advisor, Brocade vTM, cURL, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, Slackware, Ubuntu.
Severity of this computer vulnerability: 1/4.
Creation date: 27/01/2016.
Références of this announce: BSA-2016-004, cpuoct2018, CVE-2016-0755, DSA-3455-1, FEDORA-2016-3fa315a5dd, FEDORA-2016-55137a3adb, FEDORA-2016-57bebab3b6, FEDORA-2016-5a141de5d9, HT207170, JSA10874, openSUSE-SU-2016:0360-1, openSUSE-SU-2016:0373-1, openSUSE-SU-2016:0376-1, SSA:2016-039-01, STORM-2019-002, USN-2882-1, VIGILANCE-VUL-18826.

Description of the vulnerability 

The cURL product includes an embedable HTTP client. It can use HTTP proxies.

When a proxy requires an NTLM authentication, this authentication is connection based (in contrast to HTTP based authentication which is request based). Typically, cURL reuses TCP connections to the proxy for several HTTP requests. However, cURL may do so even if different credentials for the proxy have been specified at request level.

An attacker can therefore use cURL with an HTTP proxy and NTLM authentication with the proxy account of another user, in order to escalate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat alert impacts software or systems such as SDS, SES, SNS, OpenOffice, Mac OS X, Brocade Network Advisor, Brocade vTM, cURL, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, Slackware, Ubuntu.

Our Vigil@nce team determined that the severity of this weakness announce is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this computer weakness bulletin.

Solutions for this threat 

cURL: version 7.47.0.
The version 7.47.0 is fixed:
  http://curl.haxx.se/download.html

Apache OpenOffice: version 4.1.6.
The version 4.1.6 is fixed:
  https://www.openoffice.org/download/

Apple MacOS: version 10.12.
The version 10.12 is fixed.

Brocade: solution for multiple vulnerabilities (04/04/2016).
The following versions fix several vulnerabilities (but not CVE-2016-0705):
  Brocade Network Advisor : install version 12.4.2 or 14.0.1.
  Brocade vTM : install version 9.9r1 or 10.3r1.
The detailled solution is indicated in information sources.

Debian: new curl packages.
New packages are available:
  Debian 8: curl 7.38.0-4+deb8u3

Fedora: new curl packages.
New packages are available:
  Fedora 22: curl 7.40.0-8.fc22
  Fedora 23: curl 7.43.0-5.fc23

Fedora: new mingw-curl packages.
New packages are available:
  Fedora 22: mingw-curl 7.47.0-1.fc22
  Fedora 23: mingw-curl 7.47.0-1.fc23

Junos OS: solution for cURL.
The solution is indicated in information sources.

openSUSE: new curl packages.
New packages are available:
  openSUSE 13.1: curl 7.42.1-2.50.1
  openSUSE 13.2: curl 7.42.1-19.1
  openSUSE Leap 42.1: curl 7.37.0-7.1

Oracle Solaris: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2451130.1

Slackware: new curl packages.
New packages are available:
  Slackware 13.0: curl 7.47.1-*-1_slack13.0
  Slackware 13.1: curl 7.47.1-*-1_slack13.1
  Slackware 13.37: curl 7.47.1-*-1_slack13.37
  Slackware 14.0: curl 7.47.1-*-1_slack14.0
  Slackware 14.1: curl 7.47.1-*-1_slack14.1

Stormshield: solution for curl.
The solution is indicated in information sources.

Ubuntu: new curl packages.
New packages are available:
  Ubuntu 15.10: libcurl3 7.43.0-1ubuntu2.1
  Ubuntu 15.04: libcurl3 7.38.0-3ubuntu2.3
  Ubuntu 14.04 LTS: libcurl3 7.35.0-1ubuntu2.6
  Ubuntu 12.04 LTS: libcurl3 7.22.0-3ubuntu4.15
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities patch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.