Bug 1198766 - (CVE-2022-27776) VUL-1: CVE-2022-27776: curl: Auth/cookie leak on redirect
(CVE-2022-27776)
VUL-1: CVE-2022-27776: curl: Auth/cookie leak on redirect
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/329920/
CVSSv3.1:SUSE:CVE-2022-27776:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-22 14:50 UTC by Marcus Meissner
Modified: 2022-05-16 13:28 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Robert Frohl 2022-04-27 06:49:49 UTC
oss-security:

Auth/cookie leak on redirect
============================

Project curl Security Advisory, April 27 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27776.html)

VULNERABILITY
-------------

curl might leak authentication or cookie header data on HTTP redirects to the
same host but another port number.

When asked to send custom headers or cookies in its HTTP requests, curl sends
that set of headers only to the host which name is used in the initial URL, so
that redirects to other hosts will make curl send the data to those. However,
due to a flawed check, curl wrongly also sends that same set of headers to the
hosts that are identical to the first one but use a different port number or
URL scheme. Contrary to expectation and intention.

Sending the same set of headers to a server on a different port number is a
problem for applications that pass on custom `Authorization:` or `Cookie:`
headers, as those headers often contain privacy sensitive information or data.

curl and libcurl have options that allow users to opt out from this check, but
that is not set by default.

We are not aware of any exploit of this flaw.

INFO
----

This flaw was added in curl 4.9 with the introduction of `--location` and has
been present in all libcurl versions ever released. In July 2000 in the curl
7.1.1 release, [this commit](https://github.com/curl/curl/commit/29eda80f9669f) was the first
version that attempted to avoid this, but the check has been bad since then.

In 2018, [CVE-2018-1000007](https://curl.se/docs/CVE-2018-1000007.html) was
reported that partly addressed this area - but in an incomplete way.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-27776 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 4.9 to and including 7.82.0
- Not affected versions: curl < 4.9 and curl >= 7.83.0

Also note that libcurl is used by many applications, and not always advertised
as such.

THE SOLUTION
------------

In curl version 7.83.0, the same-host check is extended to check the port
number and protocol as well.

A [fix for CVE-2022-27776](https://github.com/curl/curl/commit/6e659993952aa5f90f488)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.83.0

 B - Apply the patch to your local version

 C - Do not enable `CURLOPT_FOLLOWLOCATION` if you pass on custom
     `Authorization:` headers or cookies.

TIMELINE
--------

This issue was reported to the curl project on April 21, 2022. We contacted
distros@openwall on April 22.

libcurl 7.83.0 was released on April 27 2022, coordinated with the publication
of this advisory.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.

Thanks a lot!
Comment 13 Swamp Workflow Management 2022-05-13 19:19:58 UTC
SUSE-SU-2022:1657-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1198614,1198723,1198766
CVE References: CVE-2022-22576,CVE-2022-27775,CVE-2022-27776
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    curl-7.66.0-150200.4.30.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    curl-7.66.0-150200.4.30.1
SUSE Linux Enterprise Micro 5.2 (src):    curl-7.66.0-150200.4.30.1
SUSE Linux Enterprise Micro 5.1 (src):    curl-7.66.0-150200.4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-05-16 13:28:55 UTC
SUSE-SU-2022:1680-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1198614,1198766
CVE References: CVE-2022-22576,CVE-2022-27776
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    curl-7.60.0-11.37.1
SUSE Linux Enterprise Server 12-SP5 (src):    curl-7.60.0-11.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.