Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <976r6q0-o5sr-p1o0-5p6o-63748549593n@unkk.fr>
Date: Wed, 27 Apr 2022 08:41:11 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...ts.haxx.se>, 
    curl-announce@...ts.haxx.se, libcurl hacking <curl-library@...ts.haxx.se>, 
    oss-security@...ts.openwall.com
Subject: [SECURITY ADVISORY] curl credential leak on redirect

Credential leak on redirect
===========================

Project curl Security Advisory, April 27th 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27774.html)

VULNERABILITY
-------------

curl follows HTTP(S) redirects when asked to. curl also supports
authentication. When a user and password are provided for a URL with a given
hostname, curl makes an effort to not pass on those credentials to other hosts
in redirects unless given permission with a special option.

This "same host check" has been flawed all since it was introduced. It does
not work on cross protocol redirects and it does not consider different port
numbers to be separate hosts. This leads to curl leaking credentials to other
servers when it follows redirects from auth protected HTTP(S) URLs to other
protocols and port numbers. It could also leak the TLS SRP credentials this
way.

By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked
to allow redirects to all protocols curl supports.

We are not aware of any exploit of this flaw.

INFO
----

This flaw was added in curl 4.9 with the introduction of `--location` and has
been present in all libcurl versions ever released. In July 2000 in the curl
7.1.1 release, [this commit](https://github.com/curl/curl/commit/29eda80f9669f) was the first
version that attempted to avoid this, but the check has been bad since then.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-27774 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 4.9 to and including 7.82.0
- Not affected versions: curl < 4.9 and curl >= 7.83.0

Note that libcurl is used by many applications, but not always advertised as
such.

THE SOLUTION
------------

There are two separate patches to apply for CVE-2022-27774: [the main
one](https://github.com/curl/curl/commit/620ea21410030a997) and [the SRP
follow-up](https://github.com/curl/curl/commit/139a54ed0a172ada).

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.83.0

  B - Apply the patches to your version and rebuild

  C - Switch off curl's automatic redirect following

TIME LINE
---------

It was first reported to the curl project on April 18 2022. We contacted
distros@...nwall on April 19.

libcurl 7.83.0 was released on April 27 2022, coordinated with the
publication of this advisory.

CREDITS
-------

Reported by Harry Sintonen.

Thanks a lot!

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.