Bugzilla – Bug 1188219
VUL-0: CVE-2021-22924: curl: Bad connection reuse due to flawed path name checks
Last modified: 2021-10-04 14:38:32 UTC
Hello, one of the vsftpd tests is testing upload and download of files with curl. Below is log when the curl is failing and passing download. # curl -1 -v -k --ftp-ssl -O ftp://tester:Test_pass1@127.0.0.1/test_binary.file * Trying 127.0.0.1... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 (127.0.0.1) port 21 (#0) < 220 Welcome - Local users access only > AUTH SSL < 234 Proceed with negotiation. * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [86 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [977 bytes data] * TLSv1.2 (IN), TLS handshake, Request CERT (13): { [42 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Certificate (11): } [7 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [262 bytes data] * TLSv1.2 (OUT), TLS change cipher, Client hello (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS change cipher, Client hello (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / AES128-SHA * Server certificate: * subject: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * start date: Nov 14 14:50:45 2018 GMT * expire date: Nov 11 14:50:45 2028 GMT * issuer: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * SSL certificate verify result: self signed certificate (18), continuing anyway. } [5 bytes data] > USER tester { [5 bytes data] < 331 Please specify the password. } [5 bytes data] > PASS Test_pass1 { [5 bytes data] < 230 Login successful. } [5 bytes data] > PBSZ 0 { [5 bytes data] < 200 PBSZ set to 0. } [5 bytes data] > PROT P { [5 bytes data] < 200 PROT now Private. } [5 bytes data] > PWD { [5 bytes data] < 257 "/srv/ftp/users/tester" * Entry path is '/srv/ftp/users/tester' } [5 bytes data] > EPSV * Connect data stream passively * ftp_perform ends with SECONDARY: 0 { [5 bytes data] < 229 Entering Extended Passive Mode (|||25913|). * Trying 127.0.0.1... * TCP_NODELAY set * Connecting to 127.0.0.1 (127.0.0.1) port 25913 * Connected to 127.0.0.1 (127.0.0.1) port 21 (#0) } [5 bytes data] > TYPE I { [5 bytes data] < 200 Switching to Binary mode. } [5 bytes data] > SIZE test_binary.file { [5 bytes data] < 213 115 } [5 bytes data] > RETR test_binary.file { [5 bytes data] < 150 Opening BINARY mode data connection for test_binary.file (115 bytes). * Maxdownload = -1 * Getting file with size: 115 * Doing the SSL/TLS handshake on the data stream * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [86 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [977 bytes data] * TLSv1.2 (IN), TLS handshake, Request CERT (13): { [42 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Certificate (11): } [7 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [262 bytes data] * TLSv1.2 (OUT), TLS change cipher, Client hello (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS change cipher, Client hello (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / AES128-SHA * Server certificate: * subject: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * start date: Nov 14 14:50:45 2018 GMT * expire date: Nov 11 14:50:45 2028 GMT * issuer: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * SSL certificate verify result: self signed certificate (18), continuing anyway. { [5 bytes data] * TLSv1.2 (IN), TLS alert, Client hello (1): { [2 bytes data] * transfer closed with 115 bytes remaining to read } [5 bytes data] * TLSv1.2 (OUT), TLS alert, Client hello (1): } [2 bytes data] 0 115 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 } [5 bytes data] * TLSv1.2 (OUT), TLS alert, Client hello (1): } [2 bytes data] curl: (18) transfer closed with 115 bytes remaining to read Without the curl update # curl -1 -v -k --ftp-ssl -O ftp://tester:Test_pass1@127.0.0.1/test_binary.file * Trying 127.0.0.1... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 (127.0.0.1) port 21 (#0) < 220 Welcome - Local users access only > AUTH SSL < 234 Proceed with negotiation. * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [86 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [977 bytes data] * TLSv1.2 (IN), TLS handshake, Request CERT (13): { [42 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Certificate (11): } [7 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [262 bytes data] * TLSv1.2 (OUT), TLS change cipher, Client hello (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS change cipher, Client hello (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / AES128-SHA * Server certificate: * subject: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * start date: Nov 14 14:50:45 2018 GMT * expire date: Nov 11 14:50:45 2028 GMT * issuer: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * SSL certificate verify result: self signed certificate (18), continuing anyway. } [5 bytes data] > USER tester { [5 bytes data] < 331 Please specify the password. } [5 bytes data] > PASS Test_pass1 { [5 bytes data] < 230 Login successful. } [5 bytes data] > PBSZ 0 { [5 bytes data] < 200 PBSZ set to 0. } [5 bytes data] > PROT P { [5 bytes data] < 200 PROT now Private. } [5 bytes data] > PWD { [5 bytes data] < 257 "/srv/ftp/users/tester" * Entry path is '/srv/ftp/users/tester' } [5 bytes data] > EPSV * Connect data stream passively * ftp_perform ends with SECONDARY: 0 { [5 bytes data] < 229 Entering Extended Passive Mode (|||44700|). * Trying 127.0.0.1... * TCP_NODELAY set * Connecting to 127.0.0.1 (127.0.0.1) port 44700 * Connected to 127.0.0.1 (127.0.0.1) port 21 (#0) } [5 bytes data] > TYPE I { [5 bytes data] < 200 Switching to Binary mode. } [5 bytes data] > SIZE test_binary.file { [5 bytes data] < 213 115 } [5 bytes data] > RETR test_binary.file { [5 bytes data] < 150 Opening BINARY mode data connection for test_binary.file (115 bytes). * Maxdownload = -1 * Getting file with size: 115 * Doing the SSL/TLS handshake on the data stream * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * SSL re-using session ID } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [86 bytes data] * TLSv1.2 (IN), TLS change cipher, Client hello (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * TLSv1.2 (OUT), TLS change cipher, Client hello (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * SSL connection using TLSv1.2 / AES128-SHA * Server certificate: * subject: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * start date: Nov 14 14:50:45 2018 GMT * expire date: Nov 11 14:50:45 2028 GMT * issuer: C=DE; ST=DE; L=Nuremberg; O=SUSE; OU=QAM; CN=SUSE; emailAddress=suse@suse.com * SSL certificate verify result: self signed certificate (18), continuing anyway. { [5 bytes data] * Remembering we are in dir "" } [5 bytes data] * TLSv1.2 (OUT), TLS alert, Client hello (1): } [2 bytes data] < 226 Transfer complete. 100 115 100 115 0 0 1742 0 --:--:-- --:--:-- --:--:-- 1769 * Connection #0 to host 127.0.0.1 left intact
Bad connection reuse due to flawed path name checks =================================================== Project curl Security Advisory, July 21st 2021 - [Permalink](https://curl.se/docs/CVE-2021-22924.html) VULNERABILITY ------------- libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take 'issuer cert' into account and it compared the involved paths *case insensitively*, which could lead to libcurl reusing wrong connections. File paths are, or can be, case sensitive on many systems but not all, and can even vary depending on used file systems. The comparison also didn't include the 'issuer cert' which a transfer can set to qualify how to verify the server certificate. We are not aware of any exploit of this flaw. INFO ---- This flaw has existed in curl since commit [89721ff04af70f](https://github.com/curl/curl/commit/89721ff04af70f) in libcurl 7.10.4, released on April 2, 2003. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22924 to this issue. CWE-295: Improper Certificate Validation Severity: Medium AFFECTED VERSIONS ----------------- - Affected versions: curl 7.10.4 to and including 7.77.0 - Not affected versions: curl < 7.10.4 and curl >= 7.78.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION ------------ The SSL configs are compared appropriately. A [fix for CVE-2021-22924](https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161) RECOMMENDATIONS -------------- A - Upgrade curl to version 7.78.0 B - Apply the patch to your local version TIMELINE -------- This issue was reported to the curl project on June 11, 2021. This advisory was posted on July 21, 2021. CREDITS ------- This issue was reported by Harry Sintonen. Patched by Daniel Stenberg. Thanks a lot!
Factory submission: https://build.opensuse.org/request/show/907430 Assigning back to security-team.
SUSE-SU-2021:2425-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1188217,1188218,1188219,1188220 CVE References: CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): curl-7.60.0-4.25.1 SUSE OpenStack Cloud 9 (src): curl-7.60.0-4.25.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): curl-7.60.0-4.25.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): curl-7.60.0-4.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2439-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1188217,1188218,1188219,1188220 CVE References: CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 JIRA References: Sources used: openSUSE Leap 15.3 (src): curl-7.66.0-4.22.1
SUSE-SU-2021:14768-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1188217,1188218,1188219,1188220 CVE References: CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): curl-openssl1-7.37.0-70.71.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2439-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1188217,1188218,1188219,1188220 CVE References: CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 JIRA References: Sources used: SUSE MicroOS 5.0 (src): curl-7.66.0-4.22.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): curl-7.66.0-4.22.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): curl-7.66.0-4.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2440-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1188217,1188218,1188219,1188220 CVE References: CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 JIRA References: Sources used: SUSE Manager Server 4.0 (src): curl-7.60.0-3.47.1 SUSE Manager Retail Branch Server 4.0 (src): curl-7.60.0-3.47.1 SUSE Manager Proxy 4.0 (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise Server for SAP 15 (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise Server 15-LTSS (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): curl-7.60.0-3.47.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): curl-7.60.0-3.47.1 SUSE Enterprise Storage 6 (src): curl-7.60.0-3.47.1 SUSE CaaS Platform 4.0 (src): curl-7.60.0-3.47.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2462-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1188217,1188218,1188219,1188220 CVE References: CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): curl-7.60.0-11.23.1 SUSE Linux Enterprise Server 12-SP5 (src): curl-7.60.0-11.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1088-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1188217,1188218,1188219,1188220 CVE References: CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 JIRA References: Sources used: openSUSE Leap 15.2 (src): curl-7.66.0-lp152.3.21.1, curl-mini-7.66.0-lp152.3.21.1
released