Bug 1211230 (CVE-2023-28319) - VUL-0: CVE-2023-28319: curl: use-after-free in SSH sha256 fingerprint check
Summary: VUL-0: CVE-2023-28319: curl: use-after-free in SSH sha256 fingerprint check
Status: RESOLVED FIXED
Alias: CVE-2023-28319
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/365638/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-28319:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-09 12:23 UTC by Thomas Leroy
Modified: 2024-04-15 15:02 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-05-09 12:23:22 UTC
CVE-2023-28319: UAF in SSH sha256 fingerprint check
====================================================

Project curl Security Advisory, May 17th 2023 -
[Permalink](https://curl.se/docs/CVE-2023-28319.html)

VULNERABILITY
-------------

libcurl offers a feature to verify an SSH server's public key using a SHA 256
hash. When this check fails, libcurl would free the memory for the fingerprint
before it returns an error message containing the (now freed) hash.

This flaw risks inserting sensitive heap-based data into the error message
that might be shown to users or otherwise get leaked and revealed.

INFO
----

This only applies to users of the `CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256` option,
which is **only supported for libcurl built with libssh2** (curl optionally
supports other SSH backends). Either of the options `CURLOPT_VERBOSE` or
`CURLOPT_ERRORBUFFER` also need to be set to trigger the problem.

The damage is somewhat limited by the extremely short time window between the
free and the use of the freed memory.

The largest possible info leak that can happen due to this flaw per trigger
occasion, is limited to `CURL_ERROR_SIZE` - the error message prefix length
(69) = 186 bytes. It will also stop at the first null byte within those 186
bytes.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-28319 to this issue.

CWE-416: Use After Free

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.81.0 to and including 8.0.1
- Not affected versions: curl < 7.81.0 and curl >= 8.1.0
- Introduced-in: https://github.com/curl/curl/commit/3467e89bb97e6c87c7

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 8.1.0

  B - Apply the patch to your local version

  C - Do not use `CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256`

TIMELINE
--------

This issue was reported to the curl project on March 21 2023. We contacted
distros@openwall on May 9, 2023.

curl 8.1.0 was released on May 17 2023, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: Wei Chong Tan
- Patched-by: Daniel Stenberg
Comment 3 Thomas Leroy 2023-05-09 14:06:01 UTC
All SUSE codestreams ship a not affected version.

openSUSE:Factory will need the fix once public.
Comment 12 Maintenance Automation 2023-05-17 08:30:07 UTC
SUSE-SU-2023:2225-1: An update that solves five vulnerabilities and contains one feature can now be installed.

Category: security (important)
Bug References: 1198608, 1211230, 1211231, 1211232, 1211233
CVE References: CVE-2022-27774, CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322
Jira References: PED-2580
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): curl-8.0.1-11.65.2
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): curl-8.0.1-11.65.2
SUSE Linux Enterprise Server 12 SP5 (src): curl-8.0.1-11.65.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): curl-8.0.1-11.65.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-05-17 08:30:09 UTC
SUSE-SU-2023:2224-1: An update that solves four vulnerabilities and contains one feature can now be installed.

Category: security (important)
Bug References: 1211230, 1211231, 1211232, 1211233
CVE References: CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322
Jira References: PED-2580
Sources used:
openSUSE Leap Micro 5.3 (src): curl-8.0.1-150400.5.23.1
openSUSE Leap 15.4 (src): curl-8.0.1-150400.5.23.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): curl-8.0.1-150400.5.23.1
SUSE Linux Enterprise Micro 5.3 (src): curl-8.0.1-150400.5.23.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): curl-8.0.1-150400.5.23.1
SUSE Linux Enterprise Micro 5.4 (src): curl-8.0.1-150400.5.23.1
Basesystem Module 15-SP4 (src): curl-8.0.1-150400.5.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-06-21 20:30:03 UTC
SUSE-SU-2023:2224-2: An update that solves four vulnerabilities and contains one feature can now be installed.

Category: security (important)
Bug References: 1211230, 1211231, 1211232, 1211233
CVE References: CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322
Jira References: PED-2580
Sources used:
openSUSE Leap 15.5 (src): curl-8.0.1-150400.5.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Marcus Meissner 2024-04-15 15:02:23 UTC
released