==================================================================== CERT-Renater Note d'Information No. 2015/VULN113 _____________________________________________________________________ DATE : 18/06/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running libcurl versions 7.40.0 up to and including 7.42.1. ====================================================================== http://curl.haxx.se/docs/adv_20150617B.html http://curl.haxx.se/docs/adv_20150617A.html ______________________________________________________________________ SMB send off unrelated memory contents Project cURL Security Advisory, June 17th 2015 VULNERABILITY libcurl can get tricked by a malicious SMB server to send off data it did not intend to. In libcurl's state machine function handling the SMB protocol (smb_request_state()), two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to figure out what data range to send back. The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handicrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory. We are not aware of any exploit of this flaw. INFO This flaw can also affect the curl command line tool if a similar operation series is made with that. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3237 to this issue. AFFECTED VERSIONS This flaw is relevant for Affected versions: libcurl 7.40.0 to and including 7.42.1 Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION In version 7.43.0, libcurl properly range checks the values before they are used. A patch for this problem that changes the default is available at (URL will be updated in final advisory): http://curl.haxx.se/CVE-2015-3237.patch RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.43.0 B - Apply the patch to your version and rebuild C - Avoid using the SMB protocol TIME LINE It was first brought up with the curl-security team on May 22 2015. We contacted distros@openwall on June 11. libcurl 7.43.0 was released on June 17 2015, coordinated with the publication of this advisory. CREDITS Spotted by Daniel Stenberg. Thanks a lot! ______________________________________________________________________ lingering HTTP credentials in connection re-use Project cURL Security Advisory, June 17th 2015 - Permalink VULNERABILITY libcurl can wrongly send HTTP credentials when re-using connections. libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPT_USERPWD for example. Name and password. Just like all other libcurl options the credentials are sticky and are kept associated with the "handle" until something is made to change the situation. Further, libcurl offers a curl_easy_reset() function that resets a handle back to its pristine state in terms of all settable options. A reset is of course also supposed to clear the credentials. A reset is typically used to clear up the handle and prepare it for a new, possibly unrelated, transfer. Within such a handle, libcurl can also store a set of previous connections in case a second transfer is requested to a host name for which an existing connection is already kept alive. With this flaw present, using the handle even after a reset would make libcurl accidentally use those credentials in a subseqent request if done to the same host name and connection as was previously accessed. An example case would be first requesting a password protected resource from one section of a web site, and then do a second request of a public resource from a completely different part of the site without authentication. This flaw would then inadvertently leak the credentials in the second request. We are not aware of any exploit of this flaw. INFO This flaw can also affect the curl command line tool if a similar operation series is made with that. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3236 to this issue. AFFECTED VERSIONS This flaw is relevant for Affected versions: libcurl 7.40.0 to and including 7.42.1 Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION In version 7.43.0, libcurl properly clears the credentials and prevents them from lingering around. A patch for this problem that changes the default is available at (URL will be updated in final advisory): http://curl.haxx.se/CVE-2015-3236.patch RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.43.0 B - Apply the patch to your version and rebuild C - If you use curl_easy_reset(), explicitly set the credentials afterwards TIME LINE It was first reported to the curl project on May 19 2015. We contacted distros@openwall on June 11. libcurl 7.43.0 was released on June 17 2015, coordinated with the publication of this advisory. CREDITS Reported by Tomas Tomecek and Kamil Dudka ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================