Bug 1200737 – VUL-0: CVE-2022-32208: curl: FTP-KRB bad message verification

Bug 1200737 - (CVE-2022-32208) VUL-0: CVE-2022-32208: curl: FTP-KRB bad message verification

(CVE-2022-32208)
Summary:	VUL-0: CVE-2022-32208: curl: FTP-KRB bad message verification

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-32208:6.6:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-06-21 07:37 UTC by Marcus Meissner
Modified:	2022-09-01 14:53 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Marcus Meissner 2022-06-21 07:57:26 UTC

all curl affected apparently.

Comment 3 Marcus Meissner 2022-06-27 07:54:36 UTC

public via oss-sec

CVE-2022-32208: FTP-KRB bad message verification
================================================

Project curl Security Advisory, June 27th 2022 -
[Permalink](https://curl.se/docs/CVE-2022-32208.html)

VULNERABILITY
-------------

When curl does FTP transfers secured by krb5, it handles message verification
failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack
to go unnoticed and even allows it to inject data to the client.

We are not aware of any exploit of this flaw.

INFO
----

CVE-2022-32208 was introduced in [commit
54967d2a3a](https://github.com/curl/curl/commit/54967d2a3a), shipped
in curl 7.16.4.

This flaw typically makes curl insert `599 ` (+ terminating null) into the
data where it detects the error, then the attackers data. It forces the
attacker to be somewhat creative to handle this initial hard-coded 5 byte
sequence of "junk".

FTP-KRB is a rarely used feature.

CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.16.4 to and including 7.83.1
- Not affected versions: curl < 7.16.4 and curl >= 7.84.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A [fix for CVE-2022-32208](https://github.com/curl/curl/commit/6ecdf5136b52af7)

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 7.84.0

  B - Apply the patch to your local version

  C - Do not use KRB-FTP

TIMELINE
--------

This issue was reported to the curl project on June 2, 2022. We contacted
distros@openwall on June 20.

libcurl 7.84.0 was released on June 27 2022, coordinated with the publication
of this advisory.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.

Comment 5 Swamp Workflow Management 2022-07-06 16:27:05 UTC

SUSE-SU-2022:2305-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1200734,1200735,1200736,1200737
CVE References: CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    curl-7.79.1-150400.5.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    curl-7.79.1-150400.5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2022-07-06 16:35:18 UTC

SUSE-SU-2022:2288-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1200735,1200737
CVE References: CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    curl-7.60.0-11.43.1
SUSE Linux Enterprise Server 12-SP5 (src):    curl-7.60.0-11.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2022-07-07 16:18:38 UTC

SUSE-SU-2022:2327-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1200735,1200737
CVE References: CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    curl-7.66.0-150200.4.36.1
SUSE Manager Server 4.1 (src):    curl-7.66.0-150200.4.36.1
SUSE Manager Retail Branch Server 4.1 (src):    curl-7.66.0-150200.4.36.1
SUSE Manager Proxy 4.1 (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise Micro 5.2 (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise Micro 5.1 (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    curl-7.66.0-150200.4.36.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    curl-7.66.0-150200.4.36.1
SUSE Enterprise Storage 7 (src):    curl-7.66.0-150200.4.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-07-11 19:15:27 UTC

SUSE-SU-2022:2356-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200737
CVE References: CVE-2022-32208
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3-BCL (src):    curl-7.37.0-37.79.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    curl-7.37.0-37.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2022-08-16 13:20:42 UTC

SUSE-SU-2022:2813-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224,1200735,1200737
CVE References: CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    curl-7.60.0-4.38.1
SUSE OpenStack Cloud 9 (src):    curl-7.60.0-4.38.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    curl-7.60.0-4.38.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    curl-7.60.0-4.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-08-17 16:19:04 UTC

SUSE-SU-2022:2829-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224,1200735,1200737
CVE References: CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server for SAP 15 (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    curl-7.60.0-150000.33.1
SUSE Enterprise Storage 6 (src):    curl-7.60.0-150000.33.1
SUSE CaaS Platform 4.0 (src):    curl-7.60.0-150000.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2022-09-01 14:53:24 UTC

SUSE-SU-2022:2327-2: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1200735,1200737
CVE References: CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    curl-7.66.0-150200.4.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.