Knowledge Search


×
 

2018-07 Security Bulletin: Junos OS: cURL: Multiple vulnerabilities in multiple cURL versions

  [JSA10874] Show Article Properties


Product Affected:
Junos OS
Problem:
Multiple vulnerabilities in cURL and libcurl have been resolved in Junos OS.

RISK LEVEL: CRITICAL CVSSv2 10.0, CVSSv3 9.8:
Junos OS 12.3R uses cURL 7.24 and has been upgraded to cURL 7.59.0 which may be impacted by: 
CVE-2000-0973, CVE-2013-1944, CVE-2013-2174, CVE-2013-4545, CVE-2013-6422, CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2014-3613, CVE-2014-3707, CVE-2014-8150, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2016-0754, CVE-2016-0755, CVE-2016-3739, CVE-2016-4802, CVE-2016-5419, CVE-2016-5420, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-7407, CVE-2017-8817, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121 and CVE-2018-1000122.

RISK LEVEL: CRITICAL CVSSv2 10.0, CVSSv3 9.8:
Junos OS 12.1X46, 12.3X48, and Junos OS 13.1R through 17.3R release trains uses cURL 7.43 and has been upgraded to cURL 7.59.0 which may be affected by: 
CVE-2000-0973, CVE-2013-1944, CVE-2014-8150, CVE-2016-0754, CVE-2016-0755, CVE-2016-3739, CVE-2016-4802, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2016-9952, CVE-2016-9953, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-7407, CVE-2017-8816, CVE-2017-8817, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121 and CVE-2018-1000122.

RISK LEVEL: CRITICAL CVSSv3 9.8:
Subsequent releases of Junos OS 17.4R1 and onward uses cURL 7.54 and has been upgraded to cURL 7.59.0 which may be affected by: 
CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2017-9502, CVE-2018-1000005, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122

Affected releases are Juniper Networks Junos OS:
12.1X46 versions prior to 12.1X46-D77 on SRX Series;
12.3 versions prior to 12.3R12-S10 on EX Series;
12.3X48 versions prior to 12.3X48-D70 on SRX Series;
12.3X54 versions prior to 12.3X54-D34 on ACX Series;
14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;
14.1X53 versions prior to 14.1X53-D130 on QFabric System;
15.1 versions prior to 15.1F6-S11, 15.1R4-S9, 15.1R7-S1, 15.1R8;
15.1X49 versions prior to 15.1X49-D140 on SRX Series;
15.1X53 versions prior to 15.1X53-D67 on QFX10000 Series;
15.1X53 versions prior to 15.1X53-D234 on QFX5110, QFX5200;
15.1X53 versions prior to 15.1X53-D471 on NFX 150, NFX 250;
15.1X54 versions prior to 15.1X54-D70 on ACX Series;
16.1 versions prior to 16.1R4-S10, 16.1R6-S4, 16.1R7;
16.2 versions prior to 16.2R1-S7, 16.2R2-S6, 16.2R3;
17.1 versions prior to 17.1R2-S7, 17.1R3;
17.2 versions prior to 17.2R1-S6, 17.2R2-S5, 17.2R3;
17.2X75 versions prior to 17.2X75-D100;
17.3 versions prior to 17.3R2-S2, 17.3R3;
17.4 versions prior to 17.4R1-S4, 17.4R2;
18.1 versions prior to 18.1R1-S1, 18.1R2;
18.2X75 versions prior to 18.2X75-D10.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.
Additional details on the vulnerabilities is also available at the cURL website located at https://curl.haxx.se/docs/security.html 
Further details for REST API configuration, cURL, and related components can be found in the URLs section of this advisory.

Important security issues resolved as a result of these upgrades include: 
 
CVE CVSS v2 base score Summary
CVE-2000-0973 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.
CVE-2016-5421 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
CVE-2016-7167 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
CVE-2016-9953 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.
CVE-2017-8816 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.
CVE-2017-8817 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.
CVE-2017-8818 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.
CVE-2018-1000120 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.
CVE-2016-4802 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.
CVE-2013-2174 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.
CVE-2016-9586 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
CVE-2016-9952 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com."
CVE-2014-0138 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
CVE-2017-1000257 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
CVE-2018-1000005 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
CVE-2018-1000122 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage
CVE-2014-0139 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVE-2013-1944 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
CVE-2014-3613 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
CVE-2015-3143 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
CVE-2015-3148 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
CVE-2015-3153 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
CVE-2016-0754 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.
CVE-2016-0755 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
CVE-2016-5419 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
CVE-2016-5420 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
CVE-2016-7141 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVE-2017-1000254 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.
CVE-2017-9502 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://").
CVE-2018-1000007 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
CVE-2018-1000121 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service
CVE-2013-4545 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2014-3707 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
CVE-2014-8150 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
CVE-2017-1000099 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
CVE-2017-1000100 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.
CVE-2017-1000101 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.
CVE-2013-6422 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
CVE-2014-0015 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
CVE-2016-3739 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
CVE-2017-7407 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N) The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.
CVE-2016-8615 - details not found
CVE-2016-8616 - details not found
CVE-2016-8617 - details not found
CVE-2016-8618 - details not found
CVE-2016-8619 - details not found
CVE-2016-8620 - details not found
CVE-2016-8621 - details not found
CVE-2016-8622 - details not found
CVE-2016-8623 - details not found
CVE-2016-8624 - details not found
CVE-2016-8625 - details not found
Solution:
The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D70, 12.3X54-D34, 14.1X53-D47, 14.1X53-D130*, 15.1F6-S11*, 15.1R4-S9, 15.1R7-S1, 15.1R8, 15.1X49-D140, 15.1X53-D67, 15.1X53-D234, 15.1X53-D471, 15.1X54-D70, 16.1R4-S10, 16.1R6-S4, 16.1R7, 16.2R1-S7, 16.2R2-S6, 16.2R3, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S5, 17.2R3, 17.2X75-D100, 17.3R2-S2, 17.3R3, 17.4R1-S4, 17.4R2, 18.1R1-S1*, 18.1R2, 18.2X75-D10, 18.2R1, and all subsequent releases.
*Pending Publication

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).
This issue is being tracked as PR 1347361 which is visible on the Customer Support website.

Workaround:
Actions which may reduce the risk of exploitation include: 
Discontinue the use of cURL scripting.
Avoid using untrusted URLs to fetch updates or to import data into a Junos device.
Discontinue the use of HTTP with REST APIs.
Utilize certificates and HTTPS with REST APIs.
Consider the use of SSL/TLS mutual authentication. 
Limit the number of concurrent REST connections to a device to only the minimum necessary number to perform the necessary goal, thereby potentially exposing attackers or limiting the attack surface an attacker can target.
Utilize non-default REST HTTPS ports to obfuscate the use of REST APIs from potential attackers.
Specify the set of ciphers the server can use to perform encryption and decryption functions.
Lastly, utilizing common security BCPs to limit the exploitable surface by limiting access to network and device to trusted systems, administrators, networks and hosts.
Modification History:
2018-07-11: Initial Publication.
2018-07-31: modified Workaround section line to read: "Discontinue the use of cURL scripting" instead of "Discontinue the use of scripts".
Related Links:
CVSS Score:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) and 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."