===================================================================== CERT-Renater Note d'Information No. 2021/VULN173 _____________________________________________________________________ DATE : 27/04/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running curl versions prior to 7.83.0. ===================================================================== https://curl.se/docs/CVE-2022-27776.html https://curl.se/docs/CVE-2022-27775.html https://curl.se/docs/CVE-2022-27774.html https://curl.se/docs/CVE-2022-22576.html _____________________________________________________________________ Auth/cookie leak on redirect Project curl Security Advisory, April 27 2022 - Permalink VULNERABILITY curl might leak authentication or cookie header data on HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme. Contrary to expectation and intention. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom Authorization: or Cookie: headers, as those headers often contain privacy sensitive information or data. curl and libcurl have options that allow users to opt out from this check, but that is not set by default. We are not aware of any exploit of this flaw. INFO This flaw was added in curl 4.9 with the introduction of --location and has been present in all libcurl versions ever released. In July 2000 in the curl 7.1.1 release, this commit was the first version that attempted to avoid this, but the check has been bad since then. In 2018, CVE-2018-1000007 was reported that partly addressed this area - but in an incomplete way. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27776 to this issue. CWE-522: Insufficiently Protected Credentials Severity: Low AFFECTED VERSIONS Affected versions: curl 4.9 to and including 7.82.0 Not affected versions: curl < 4.9 and curl >= 7.83.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION In curl version 7.83.0, the same-host check is extended to check the port number and protocol as well. A fix for CVE-2022-27776 RECOMMENDATIONS A - Upgrade curl to version 7.83.0 B - Apply the patch to your local version C - Do not enable CURLOPT_FOLLOWLOCATION if you pass on custom Authorization: headers or cookies. TIMELINE This issue was reported to the curl project on April 21, 2022. We contacted distros@openwall on April 22. libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory. CREDITS This issue was reported by Harry Sintonen. Patched by Daniel Stenberg. Thanks a lot! _____________________________________________________________________ Bad local IPv6 connection reuse Project curl Security Advisory, April 27 2022 - Permalink VULNERABILITY libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take the IPv6 address zone id into account which could lead to libcurl reusing the wrong connection when one transfer uses a zone id and a subsequent transfer uses another (or no) zone id. We are not aware of any exploit of this flaw. INFO Zone ids are only used for non-global scoped IPv6 addresses and they are only used when specifying the address numerically. This flaw has existed in curl since commit 2d0e9b40d3237b1, shipped in libcurl 7.65.0, released on May 22 2019. Previous versions will instead not accept URLs with zone ids. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27775 to this issue. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Severity: Low AFFECTED VERSIONS Affected versions: curl 7.65.0 to and including 7.82.0 Not affected versions: curl < 7.65.0 and curl >= 7.83.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION A fix for CVE-2022-27775 RECOMMENDATIONS A - Upgrade curl to version 7.83.0 B - Apply the patch to your local version C - Do not use non-global numerical IPv6 addresses in URLs to curl TIMELINE This issue was reported to the curl project on April 21, 2022. We contacted distros@openwall on April 21. libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory. CREDITS This issue was reported by Harry Sintonen. Patched by Daniel Stenberg. Thanks a lot! _____________________________________________________________________ Credential leak on redirect Project curl Security Advisory, April 27th 2022 - Permalink VULNERABILITY curl follows HTTP(S) redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option. This "same host check" has been flawed all since it was introduced. It does not work on cross protocol redirects and it does not consider different port numbers to be separate hosts. This leads to curl leaking credentials to other servers when it follows redirects from auth protected HTTP(S) URLs to other protocols and port numbers. It could also leak the TLS SRP credentials this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports. We are not aware of any exploit of this flaw. INFO This flaw was added in curl 4.9 with the introduction of --location and has been present in all libcurl versions ever released. In July 2000 in the curl 7.1.1 release, this commit was the first version that attempted to avoid this, but the check has been bad since then. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27774 to this issue. CWE-522: Insufficiently Protected Credentials Severity: Medium AFFECTED VERSIONS Affected versions: curl 4.9 to and including 7.82.0 Not affected versions: curl < 4.9 and curl >= 7.83.0 Note that libcurl is used by many applications, but not always advertised as such. THE SOLUTION There are two separate patches to apply for CVE-2022-27774: the main one and the SRP follow-up. RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.83.0 B - Apply the patches to your version and rebuild C - Switch off curl's automatic redirect following TIME LINE It was first reported to the curl project on April 18 2022. We contacted distros@openwall on April 19. libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory. CREDITS Reported by Harry Sintonen. Thanks a lot! _____________________________________________________________________ OAUTH2 bearer bypass in connection re-use Project curl Security Advisory, April 27th 2022 - Permalink VULNERABILITY libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl maintains a pool of live connections after a transfer has completed (sometimes called the connection cache). This pool of connections is then gone through when a new transfer is requested and if there is a live connection available that can be reused, it is preferred instead of creating a new one. Due to this security vulnerability, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer could subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer. This could lead to an authentication bypass, either by mistake or by a malicious actor. We are not aware of any exploit of this flaw. INFO This flaw was introduced in curl in 2013 with the commit series that started with 19a05c908f7d8b. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-22576 to this issue. CWE-305: Authentication Bypass by Primary Weakness Severity: Medium AFFECTED VERSIONS Affected versions: curl 7.33.0 to and including 7.82.0 Not affected versions: curl < 7.33.0 and curl >= 7.83.0 Note that libcurl is used by many applications, but not always advertised as such. THE SOLUTION A fix for CVE-2022-22576 RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.83.0 B - Apply the patch to your version and rebuild C - Set the bearer string as password as well when using OAUTH2 bearer authentication with these protocols. TIME LINE It was first reported to the curl project on March 18 2022. We contacted distros@openwall on April 18. libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory. CREDITS Reported and patched by Patrick Monnerat. Thanks a lot! ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================