Bug 1179398 (CVE-2020-8284) - VUL-0: CVE-2020-8284: curl: trusting FTP PASV responses (1/3)
Summary: VUL-0: CVE-2020-8284: curl: trusting FTP PASV responses (1/3)
Status: RESOLVED FIXED
Alias: CVE-2020-8284
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/272451/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-8284:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-30 09:37 UTC by Robert Frohl
Modified: 2024-03-12 15:50 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 7 Marcus Meissner 2020-12-09 07:01:10 UTC
now public

trusting FTP PASV responses
===========================

Project curl Security Advisory, December 9th 2020 -
[Permalink](https://curl.se/docs/CVE-2020-8284.html)

VULNERABILITY
-------------

When curl performs a passive FTP transfer, it first tries the `EPSV` command
and if that is not supported, it falls back to using `PASV`.  Passive mode is
what curl uses by default.

A server response to a `PASV` command includes the (IPv4) address and port
number for the client to connect back to in order to perform the actual data
transfer.

This is how the FTP protocol is designed to work.

A malicious server can use the `PASV` response to trick curl into connecting
back to a given IP address and port, and this way potentially make curl
extract information about services that are otherwise private and not
disclosed, for example doing port scanning and service banner extractions.

If curl operates on a URL provided by a user (which by all means is an unwise
setup), a user can exploit that and pass in a URL to a malicious FTP server
instance without needing any server breach to perform the attack.

We are not aware of any exploit of this flaw.

INFO
----

This issue has existed in curl for as long as FTP has been supported, since
day 1.

The flaw only exists for IPv4 since `PASV` doesn't work for IPv6 and curl will
prefer `EPSV`. The passive mode setup for FTP is used for both uploads and
downloads.

curl can be built without FTP support and applications can explicitly disable
FTP for single transfers.

curl users could already mitigate this flaw with `CURLOPT_FTP_SKIP_PASV_IP`
and `--ftp-skip-pasv-ip`.

Other FTP clients have in the past also had this flaw and have fixed it at
different points in time. Firefox fixed it in 2007: CVE-2007-1562.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2020-8284 to this issue.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 4.0 to and including 7.73.0
- Not affected versions: curl >= 7.74.0

Also note that (lib)curl is used by many applications, and not always
advertised as such.

THE SOLUTION
------------

The IP address part of the response is now ignored by default, by making
`CURLOPT_FTP_SKIP_PASV_IP` default to `1L` instead of previously being `0L`.

This has the minor drawback that a small fraction of use cases might break,
when a server truly needs the client to connect back to a different IP address
than what the control connection uses and for those `CURLOPT_FTP_SKIP_PASV_IP`
can be set to `0L`.

The same goes for the command line tool, which then might need
`--no-ftp-skip-pasv-ip` set to prevent curl from ignoring the address in the
server response.

A [fix for CVE-2020-8284](https://github.com/curl/curl/commit/ec9cc725d598ac)

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.74.0

  B - Set `CURLOPT_FTP_SKIP_PASV_IP` to `1L` or use `--ftp-skip-pasv-ip`

  C - Disable FTP availability for your transfers

TIMELINE
--------

This issue was first reported to the curl project on November 21, 2020.

This advisory was posted on December 9th 2020.

CREDITS
-------

This issue was reported by Varnavas Papaioannou. Patched by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://www.wolfssl.com/contact/
Comment 8 Swamp Workflow Management 2020-12-09 23:17:48 UTC
SUSE-SU-2020:3733-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179398,1179399,1179593
CVE References: CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    curl-7.60.0-3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-12-09 23:20:52 UTC
SUSE-SU-2020:3735-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179398,1179399,1179593
CVE References: CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    curl-7.66.0-4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-12-10 14:21:08 UTC
SUSE-SU-2020:3739-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179398,1179399,1179593
CVE References: CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    curl-7.60.0-11.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    curl-7.60.0-11.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-12-13 11:18:13 UTC
openSUSE-SU-2020:2238-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179398,1179399,1179593
CVE References: CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    curl-7.66.0-lp152.3.12.1, curl-mini-7.66.0-lp152.3.12.1
Comment 13 Swamp Workflow Management 2020-12-14 23:31:00 UTC
openSUSE-SU-2020:2249-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179398,1179399,1179593
CVE References: CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    curl-7.60.0-lp151.5.18.1, curl-mini-7.60.0-lp151.5.18.1
Comment 14 Pedro Monreal Gonzalez 2020-12-16 12:36:31 UTC
Factory submission: https://build.opensuse.org/request/show/856452
Comment 19 Swamp Workflow Management 2020-12-21 14:16:45 UTC
SUSE-SU-2020:14585-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179398,1179399
CVE References: CVE-2020-8284,CVE-2020-8285
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.37.0-70.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-05-27 19:29:11 UTC
SUSE-SU-2021:1786-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1175109,1177976,1179398,1179399,1179593,1183933,1186114
CVE References: CVE-2020-8231,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286,CVE-2021-22876,CVE-2021-22898
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    curl-7.60.0-4.20.1
SUSE OpenStack Cloud 9 (src):    curl-7.60.0-4.20.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    curl-7.60.0-4.20.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    curl-7.60.0-4.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Marcus Meissner 2021-08-09 12:52:12 UTC
released