oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[SECURITY ADVISORY] curl OAUTH2 bearer bypass in connection re-use

From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 27 Apr 2022 08:40:18 +0200 (CEST)
OAUTH2 bearer bypass in connection re-use
=========================================

Project curl Security Advisory, April 27th 2022 -
[Permalink](https://curl.se/docs/CVE-2022-22576.html)

VULNERABILITY
-------------

libcurl might reuse OAUTH2-authenticated connections without properly making
sure that the connection was authenticated with the same credentials as set
for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S),
POP3(S) and LDAP(S) (openldap only).

libcurl maintains a pool of live connections after a transfer has completed
(sometimes called the connection cache). This pool of connections is then gone
through when a new transfer is requested and if there is a live connection
available that can be reused, it is preferred instead of creating a new one.

Due to this security vulnerability, a connection that is successfully created
and authenticated with a user name + OAUTH2 bearer could subsequently be
erroneously reused even for user + [other OAUTH2 bearer], even though that
might not even be a valid bearer. This could lead to an authentication bypass,
either by mistake or by a malicious actor.

We are not aware of any exploit of this flaw.

INFO
----

This flaw was introduced in curl in 2013 with the commit series that started
with [19a05c908f7d8b](https://github.com/curl/curl/commit/19a05c908f7d8b).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-22576 to this issue.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.33.0 to and including 7.82.0
- Not affected versions: curl < 7.33.0 and curl >= 7.83.0

Note that libcurl is used by many applications, but not always advertised as
such.

THE SOLUTION
------------

A [fix for CVE-2022-22576](https://github.com/curl/curl/commit/852aa5ad351ea53e5f)

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl and libcurl to version 7.83.0

 B - Apply the patch to your version and rebuild

 C - Set the bearer string as password *as well* when using OAUTH2 bearer
     authentication with these protocols.

TIME LINE
---------

It was first reported to the curl project on March 18 2022. We contacted
distros@openwall on April 18.

libcurl 7.83.0 was released on April 27 2022, coordinated with the
publication of this advisory.

CREDITS
-------

Reported and patched by Patrick Monnerat.

Thanks a lot!

--

 / daniel.haxx.se
 | Commercial curl support up to 24x7 is available!
 | Private help, bug fixes, support, ports, new features
 | https://curl.se/support.html
Previous By Date Next
Previous By Thread Next

Current thread: