#14844 closed enhancement (fixed)
curl-7.76.0
| Reported by: | Douglas R. Reno | Owned by: | Tim Tassonis |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.0 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version
Change History (5)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 years ago
CVE-2021-22876
Automatic referer leaks credentials =================================== Project curl Security Advisory, March 31st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22876.html) VULNERABILITY ------------- libcurl does not strip off user credentials from the URL when automatically populating the `Referer:` HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the `Referer:` HTTP request header field in outgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the curl tool, it is enabled with `--referer ";auto"`. We are not aware of any exploit of this flaw. INFO ---- This flaw has existed in libcurl since commit [f30ffef477](https://github.com/curl/curl/commit/f30ffef477) in libcurl 7.1.1, released on August 21, 2000. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue. CWE-359: Exposure of Private Personal Information to an Unauthorized Actor Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.1.1 to and including 7.75.0 - Not affected versions: curl < 7.1.1 and curl >= 7.76.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION ------------ If a provided URL contains credentials, they will be blanked out before the URL is used to populate the header field. A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c) (The patch URL will change in the final published version of this advisory) RECOMMENDATIONS -------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade libcurl to version 7.76.0 B - Apply the patch to your local version C - Provide the credentials with `-u` or `CURLOPT_USERPWD` D - Avoid `CURLOPT_AUTOREFERER` and `--referer ";auto"`, TIMELINE -------- This issue was reported to the curl project on February 12, 2021. This advisory was posted on March 31st 2021. CREDITS ------- This issue was reported and patched by Viktor Szakats. Thanks a lot!
comment:4 by , 3 years ago
| Priority: | normal → elevated |
|---|
CVE-2021-22890
TLS 1.3 session ticket proxy host mixup ======================================= Project curl Security Advisory, March 31st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22890.html) VULNERABILITY ------------- Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. We are not aware of any exploit of this flaw. INFO ---- This flaw has existed in libcurl since commit [549310e907e](https://github.com/curl/curl/commit/549310e907e) in libcurl 7.63.0, released on December 12, 2018. It can only trigger when TLS 1.3 is used with the HTTPS proxy and not with earlier TLS versions. It *cannot* trigger with TLS 1.2 or earlier versions. It might be worth highlighting that an HTTPS proxy is a proxy which libcurl communicates with over TLS specifically, and then speaks HTTPS through, making it two layers of TLS. It is different than the more common HTTP proxy setup, where libcurl just does normal TCP with the proxy. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22890 to this issue. CWE-290: Authentication Bypass by Spoofing Severity: Low AFFECTED VERSIONS ----------------- This issue only exists when libcurl is built to use OpenSSL or one of its forks. - Affected versions: curl 7.63.0 to and including 7.75.0 - Not affected versions: curl < 7.63.0 and curl >= 7.76.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION ------------ Make sure the proxy/host distinction is done correctly. A [fix for CVE-2021-22890](https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844) (The patch URL will change in the final published version of this advisory) RECOMMENDATIONS -------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade libcurl to version 7.76.0 B - Apply the patch to your local version C - Use another TLS backend D - Avoid TLS 1.3 with HTTPS proxies TIMELINE -------- This issue was reported to the curl project on March 17, 2021. This advisory was posted on March 31st 2021. CREDITS ------- This issue was reported by Mingtao Yang, Facebook. Patch by Daniel Stenberg. Thanks a lot!
Just putting the upstream information in here to make it easier for issuing a SA :)
Note:
See TracTickets
for help on using tickets.
Changes: cookies: Support multiple -b parameters curl: add --fail-with-body doh: add options to disable ssl verification http: add support to read and store the referrer header sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl vtls: initial implementation of rustls backend Bugfixes: CVE-2021-22876: strip credentials from the auto-referer header field CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid() asyn-ares: use consistent resolve error message BUG-BOUNTY: removed the cooperation mention build: delete unused feature guards build: fix --disable-dateparse build: fix --disable-http-auth build: remove all traces of USE_BLOCKING_SOCKETS c-hyper: Remove superfluous pointer check c-hyper: support automatic content-encoding CI/azure: disable test 433 on azure-ubuntu CI/azure: replace python-impacket with python3-impacket ci: stop building on freebsd-12-1 cmake: fix import library name for non-MS compiler on Windows cmake: use CMAKE_INSTALL_INCLUDEDIR indirection cmake: support WinIDN config: fix building SMB with configure using Win32 Crypto config: fix detection of restricted Windows App environment configure: fail if --with-quiche is used and quiche isn't found configure: make AC_TRY_* into AC_*_IFELSE configure: make hyper opt-in, and fail if missing configure: only add OpenSSL paths if they are defined configure: provide Largefile feature for curl-config configure: remove use of deprecated macros configure: s/AC_HELP_STRING/AS_HELP_STRING cookies: Fix potential NULL pointer deref with PSL curl: set CURLOPT_NEW_FILE_PERMS if requested curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO curl_multibyte: always return a heap-allocated copy of string curl_multibyte: fall back to local code page stat/access on Windows Curl_timeleft: check both timeouts during connect curl_url_set.3: mention CURLU_PATH_AS_IS CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent docs/HTTP2: remove the outdated remark about multiplexing for the tool docs/Makefile.inc: format to be update-friendly docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions docs: add missing Arg tag to --stderr docs: Add SSL backend names to CURL_SSL_BACKEND docs: clarify timeouts for queued transfers in multi API docs: Explain DOH transfers inherit some SSL settings docs: fix FILE example url in --metalink documentation docs: make gen.pl support *italic* and **bold** doh: Fix sharing user's resolve list with DOH handles doh: Inherit CURLOPT_STDERR from user's easy handle dynbuf: bump the max HTTP request to 1MB examples: Remove threaded-shared-conn.c due to bug file: Support unicode urls on windows ftp: add 'list_only' to the transfer state struct ftp: add 'prefer_ascii' to the transfer state struct FTP: allow SIZE to fail when doing (resumed) upload ftp: avoid SIZE when asking for a TYPE A file ftp: fix Codacy/cppcheck warning about null pointer arithmetic ftp: fix memory leak in ftp_done ftp: never set data->set.ftp_append outside setopt gen.pl: quote "bare" minuses in the nroff curl.1 github: add torture-ftp for FTP-only torture testing gnutls: assume nettle crypto support gskit: correct the gskit_send() prototype hostip: fix build with sync resolver hostip: fix crash in sync resolver builds that use DOH hsts: remove unused defines http2: don't set KEEP_SEND when there's no more data to be sent http2: fail if connection terminated without END_STREAM http: cap body data amount during send speed limiting http: do not add a referrer header with empty value http: make 416 not fail with resume + CURLOPT_FAILONERRROR http: remove superfluous NULL assign http: strip default port from URL sent to proxy http: use credentials from transfer, not connection ldap: use correct memory free function lib1536: check ptr against NULL before dereferencing it lib1537: check ptr against NULL before dereferencing it lib: remove 'conn->data' completely libssh2: kdb_callback: get the right struct pointer libssh2:ssh_connect: clear session pointer after free memdebug: close debug logfile explicitly on exit mingw: enable using strcasecmp() multi: close the connection when h2=>h1 downgrading multi: do once-per-transfer inits in before_perform in DID state multi: rename the multi transfer states multi: update pending list when removing handle ngtcp2: adapt to the new recv_datagram callback ngtcp2: clarify calculation precedence ngtcp2: Fix build error due to change in ngtcp2_addr_init ngtcp2: sync with recent API updates openldap: avoid NULL pointer dereferences openssl: adapt to v3's new const for a few API calls openssl: ensure to check SSL_CTX_set_alpn_protos return values openssl: remove get_ssl_version_txt in favor of SSL_get_version openssl: set the transfer pointer for logging early OS400: update for CURLOPT_AWS_SIGV4 parse_proxy: fix a memory leak in the OOM path pathhelp.pm: fix use of pwd -L in Msys environment projects: Update VS projects for OpenSSL 1.1.x quiche: fix build error: use 'int' for port number quiche: fix crash when failing to connect retry-all-errors.d: Explain curl errors versus HTTP response errors retry.d: Clarify transient 5xx HTTP response codes runtests.pl: add %TESTNUMBER variable to make copying tests more convenient runtests.pl: add a -P option to specify an external proxy runtests.pl: kill processes locking test log files setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper test1188: change error to check for: --fail HTTP status test220/314: adjust to run with Hyper test304: header CRLF cleanup to work with Hyper test306: make it not run with Hyper tests: disable .curlrc in more environments tests: use %TESTNUMBER instead of fixed number tftp: remove the 3600 second default timeout time: enable 64-bit time_t in supported mingw environments tool_help: add missing argument for --create-file-mode tool_help: Increase space between option and description tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error travis: add a rustls build travis: bump wolfssl to 4.7.0 travis: only build wolfssl when needed travis: split "torture" into a separate "events" build travis: switch ngtcp2 build over to quictls travis: use ubuntu nghttp2 package instead of build our own url.c: use consistent error message for failed resolve url: fix memory leak if OOM in the HSTS handling url: fix possible use-after-free in default protocol urldata: don't touch data->set.httpversion at run-time urldata: fix build without HTTP and MQTT urldata: make 'actions[]' use unsigned char instead of int urldata: merge "struct DynamicStatic" into "struct UrlState" urldata: remove the 'rtspversion' field urldata: remove the _ORIG suffix from string names version.d: Add missing features to the features list wolfssl: don't store a NULL sessionid }}