-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0216
 Security Bulletin: Vulnerabilities in curl affect IBM Security Proventia
 Network Enterprise Scanner (CVE-2015-3143, CVE-2015-3148, CVE-2015-3153,
               CVE-2014-3613, CVE-2014-3707, CVE-2014-8150)
                              28 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Proventia Network Enterprise Scanner
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Denial of Service              -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-3153 CVE-2015-3148 CVE-2015-3143
                   CVE-2014-8150 CVE-2014-3707 CVE-2014-3613

Reference:         ASB-2016.0004
                   ASB-2015.0103
                   ASB-2015.0070
                   ESB-2015.3196
                   ESB-2015.3133
                   ESB-2015.2881
                   ESB-2015.2715

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21970304

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerabilities in curl affect IBM Security Proventia
Network Enterprise Scanner (CVE-2015-3143, CVE-2015-3148, CVE-2015-3153,
CVE-2014-3613, CVE-2014-3707, CVE-2014-8150)

Security Bulletin

Document information

More support for:

Proventia Network Enterprise Scanner

Software version:

2.3

Operating system(s):

Firmware

Reference #:

1970304

Modified date:

2016-01-27

Summary

Security vulnerabilities have been discovered in the curl package used with
IBM Security Proventia Network Enterprise Scanner.

Vulnerability Details

CVEID:

CVE-2015-3143

DESCRIPTION:

libcurl could allow a remote attacker from within the local network to bypass
security restrictions, caused by the re-use of recently authenticated
connections. By sending a new NTLM-authenticated request, an attacker could
exploit this vulnerability to perform unauthorized actions with the
privileges of the victim.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/102888

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:

CVE-2015-3148

DESCRIPTION:

libcurl and cURL could allow a remote attacker to bypass security
restrictions, caused by improper use of the negotiate authentication method.
By sending a specially-crafted request, an attacker could exploit this
vulnerability to bypass access restrictions and connect as other users.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/102878

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:

CVE-2015-3153

DESCRIPTION:

cURL/libcURL could allow a remote attacker to obtain sensitive information,
caused by custom HTTP headers with sensitive content being sent to the server
and intermediate proxy by the CURLOPT_HTTPHEADER option. An attacker could
exploit this vulnerability to obtain authentication cookies or other
sensitive information.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/102989

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:

CVE-2014-3613

DESCRIPTION:

cURL/libcURL could allow a remote attacker to bypass security restrictions,
caused by the failure to properly detect and reject domain names for IP
addresses. An attacker could exploit this vulnerability to send cookies to an
incorrect site.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/95925

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:

CVE-2014-3707

DESCRIPTION:

cURL/libcURL could allow a remote attacker to obtain sensitive information,
caused by an error in the curl_easy_duphandle() function. An attacker could
exploit this vulnerability to corrupt heap memory and obtain sensitive
information or cause a denial of service.

CVSS Base Score: 6.4

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/98562

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID:

CVE-2014-8150

DESCRIPTION:

libcURL is vulnerable to CRLF injection, caused by the improper handling of
URLs with embedded end-of-line characters. By persuading a victim to click on
a specially-crafted URL link using an HTTP proxy, a remote attacker could
exploit this vulnerability to conduct various attacks against the vulnerable
system, including cross-site scripting, cache poisoning or session hijacking.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/100567

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Security Proventia Network Enterprise Scanner 2.3

Remediation/Fixes

Product                                            VRMF    Remediation/First Fix
                                                   2.3     2.3.0.2-ISS-ES-IF012
IBM Security Proventia Network Enterprise Scanner

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide

On-line Calculator v2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVqmhBn6ZAP0PgtI9AQK7xRAAkPHJfK6A5l4jR5Ir/33ryQ4SiRLqUN5b
Po/GRB76z2YZpEsyiHKtwBSONc3OesjkDhw+1oY/gM6piVWuj7bxddTD+gmuNMKM
SrqLUUxSJdE3cBk+beA5/qAZbZWTbmuoMdxr2eX7XyRHrOv1EzLWh4MmRbNWlmbz
TE/yVRXmTkeBgt+P+g2b62v6ehzH4qWe9YZ3kRCeb4SkHBrejCBOIuO3qfsJAxvT
6h0eklqf8ivdXEuAo96Rk+HtWrhzP4U6wj+q0wIYzYm0Y7eW3jmo71OYqfUH5K3t
9e+DQaIh96aEpfVRT1/wzb2Lnv8Or/cpxbHkrnuo0rOLxEew5rXstNjEPAnLUei+
D2lqLgJmmD47rRRgV8ptu4MYLzc+PmZJTiHVkiO42SrsOeL658GNa9wki+V8bZI5
73hZaBwi4WbM95vn2EIdaRE+8DbD3CsZCdO3Amb6xJPiclhGll6Mgs1dqhSd4zOq
hBB9q5SCNq+zNK203hD1JTZ6sLjSjiPR2/WpAnKEATYuqlDdiJQjyEy8BKiDTxT2
ge9gQ/K23GpmiRJ0dGDUW10r0QGH56051fHdXBPV5o2kD9fNvyA+VRMqcuRi5Thg
X7wZdsdWs7AwW0+pjchY0pNfx7PxSc2hTraQXWzWRu0uUqHVFhtchxpe7G6CzbZu
1GsCntYx3FU=
=MY+4
-----END PGP SIGNATURE-----