Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / wrong re-use of connections
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Vulnerability Disclosure
Vulnerabilities Table

CVE-2014-0138

wrong re-use of connections

Project curl Security Advisory, March 26th 2014 Permalink

VULNERABILITY

libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP.

libcurl features a pool of recent connections so that subsequent requests can re-use an existing connection to avoid overhead.

When re-using a connection a range of criterion must first be met. Due to an error in the code, a transfer that was initiated by an application could wrongfully re-use an existing connection to the same server that was authenticated using different credentials. The existing logic basically only worked well enough for HTTP and FTP, while all other network protocols were silently, but erroneously, assumed to work like HTTP. Basically, protocols that use connection oriented authentication need a new connection when new credentials are used.

Affected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and LDAP(S).

Applications can disable libcurl's re-use of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not re-used: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the curl_multi API).

(This problem is very similar to a problem previously reported to NTLM HTTP connections, named CVE-2014-0015)

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2014-0138 to this issue.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Medium

AFFECTED VERSIONS

This flaw has existed ever since libcurl started to support these other protocols, although the code has been restructured a few times over the years so the mistake has altered shape.

libcurl is used by many applications, but not always advertised as such!

SOLUTION

libcurl 7.36.0 makes sure that connections are re-used more strictly.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to curl and libcurl 7.36.0

B - Apply the patch and rebuild libcurl

TIMELINE

It was reported to the curl project on February 15th 2014. We contacted distros@openwall on March 16 2014.

libcurl 7.36.0 was released on March 26th 2014, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!