oss-sec mailing list archives
[SECURITY ADVISORY] curl OAUTH2 bearer bypass in connection re-use
From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 27 Apr 2022 08:40:18 +0200 (CEST)
OAUTH2 bearer bypass in connection re-use ========================================= Project curl Security Advisory, April 27th 2022 - [Permalink](https://curl.se/docs/CVE-2022-22576.html) VULNERABILITY ------------- libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl maintains a pool of live connections after a transfer has completed (sometimes called the connection cache). This pool of connections is then gone through when a new transfer is requested and if there is a live connection available that can be reused, it is preferred instead of creating a new one. Due to this security vulnerability, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer could subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer. This could lead to an authentication bypass, either by mistake or by a malicious actor. We are not aware of any exploit of this flaw. INFO ---- This flaw was introduced in curl in 2013 with the commit series that started with [19a05c908f7d8b](https://github.com/curl/curl/commit/19a05c908f7d8b). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-22576 to this issue. CWE-305: Authentication Bypass by Primary Weakness Severity: Medium AFFECTED VERSIONS ----------------- - Affected versions: curl 7.33.0 to and including 7.82.0 - Not affected versions: curl < 7.33.0 and curl >= 7.83.0 Note that libcurl is used by many applications, but not always advertised as such. THE SOLUTION ------------ A [fix for CVE-2022-22576](https://github.com/curl/curl/commit/852aa5ad351ea53e5f) RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.83.0 B - Apply the patch to your version and rebuild C - Set the bearer string as password *as well* when using OAUTH2 bearer authentication with these protocols. TIME LINE --------- It was first reported to the curl project on March 18 2022. We contacted distros@openwall on April 18. libcurl 7.83.0 was released on April 27 2022, coordinated with the publication of this advisory. CREDITS ------- Reported and patched by Patrick Monnerat. Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html
Current thread:
- [SECURITY ADVISORY] curl OAUTH2 bearer bypass in connection re-use Daniel Stenberg (Apr 26)