Bug 1077001 - (CVE-2018-1000007) VUL-0: CVE-2018-1000007: curl: HTTP authentication leak in redirects
(CVE-2018-1000007)
VUL-0: CVE-2018-1000007: curl: HTTP authentication leak in redirects
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Pedro Monreal Gonzalez
Security Team bot
https://smash.suse.de/issue/198736/
CVSSv3:SUSE:CVE-2018-1000007:4.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-22 10:03 UTC by Marcus Meissner
Modified: 2018-05-14 14:41 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Patches for SLE-1{0,1,2} (3.21 KB, application/gzip)
2018-01-23 11:57 UTC, Pedro Monreal Gonzalez
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2018-01-23 10:16:53 UTC
CVE-2018-1000007
Comment 3 Pedro Monreal Gonzalez 2018-01-23 11:56:20 UTC
Packages submitted:

openSUSE:Factory        7.57.0  We'll update to version 7.58.0 on the 24th
SUSE:SLE-12:Update      7.37.0  curl-7.37.0-CVE-2018-1000007.patch sr#152344
SUSE:SLE-11-SP3:Update  7.19.7  curl-7.19.7-CVE-2018-1000007.patch sr#152345
SUSE:SLE-11-SP1:Update  7.19.7  curl-7.19.7-CVE-2018-1000007.patch sr#152346
SUSE:SLE-10-SP3:Update  7.15.1  curl-7.15.1-CVE-2018-1000007.patch sr#152347
Comment 4 Pedro Monreal Gonzalez 2018-01-23 11:57:07 UTC
Created attachment 757258 [details]
Patches for SLE-1{0,1,2}
Comment 6 Marcus Meissner 2018-01-24 07:33:05 UTC
is public now:

HTTP authentication leak in redirects
=====================================

Project curl Security Advisory, January 24th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-b3bf.html)

VULNERABILITY
-------------

libcurl might leak authentication data to third parties.

When asked to send custom headers in its HTTP requests, libcurl will send that
set of headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value.

Sending the same set of headers to subsequest hosts is in particular a problem
for applications that pass on custom `Authorization:` headers, as this header
often contains privacy sensitive information or data that could allow others
to impersonate the libcurl-using client's request.

We are not aware of any exploit of this flaw.

INFO
----

This bug has existed since before curl 6.0. It existed in the first commit we
have recorded in the project.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000007 to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.1 to and including 7.57.0
- Not affected versions: libcurl >= 7.58.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In libcurl version 7.58.0, custom `Authorization:` headers will be limited the
same way other such headers is controlled within libcurl: they will only be
sent to the host used in the original URL unless libcurl is told that it is ok
to pass on to others using the `CURLOPT_UNRESTRICTED_AUTH` option.

**NOTE**: this solution creates a slight change in behavior. Users who
actually want to pass on the header to other hosts now need to give curl that
specific permission. You do this with
[--location-trusted](https://curl.haxx.se/docs/manpage.html#--location-trusted)
with the curl command line tool.

A [patch for
CVE-2018-1000007](https://github.com/curl/curl/commit/af32cd3859336ab.patch)
is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.58.0

  B - Apply the patch to your version and rebuild

  C - Do not enable CURLOPT_FOLLOWLOCATION if you pass on custom Authorization
      headers

TIME LINE
---------

It was reported to the curl project on January 18, 2018

We contacted distros@openwall on January 19.

curl 7.58.0 was released on January 24 2018, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Craig de Stigter. Patch by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
Comment 7 Pedro Monreal Gonzalez 2018-01-24 11:20:42 UTC
Packages submitted for Factory, see requests:

https://build.opensuse.org/request/show/568861
https://build.opensuse.org/request/show/568866
Comment 8 Swamp Workflow Management 2018-01-25 14:25:58 UTC
SUSE-SU-2018:0214-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1027712,1061876,1077001
CVE References: CVE-2017-1000254,CVE-2018-1000007
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.53.13.1
Comment 9 Swamp Workflow Management 2018-01-25 15:34:28 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-02-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63949
Comment 10 Swamp Workflow Management 2018-01-25 17:09:43 UTC
SUSE-SU-2018:0217-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1077001
CVE References: CVE-2018-1000007
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.14.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    curl-7.37.0-37.14.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    curl-7.37.0-37.14.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.14.1
SUSE Linux Enterprise Server 12-SP2 (src):    curl-7.37.0-37.14.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    curl-7.37.0-37.14.1
SUSE CaaS Platform ALL (src):    curl-7.37.0-37.14.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.14.1
Comment 11 Swamp Workflow Management 2018-01-26 11:10:34 UTC
SUSE-SU-2018:0230-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027712,1077001
CVE References: CVE-2016-7141,CVE-2018-1000007
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.70.13.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.70.13.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.70.13.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.70.13.1
Comment 12 Swamp Workflow Management 2018-01-26 20:08:08 UTC
openSUSE-SU-2018:0236-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1077001
CVE References: CVE-2018-1000007
Sources used:
openSUSE Leap 42.3 (src):    curl-7.37.0-30.1
openSUSE Leap 42.2 (src):    curl-7.37.0-16.15.1
Comment 13 Marcus Meissner 2018-01-31 09:28:03 UTC
released