CVE-2014-3620
cookie leak for TLDs
Project curl Security Advisory, September 10th 2014 Permalink
VULNERABILITY
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.
INFO
Cookie parsing and use is opt-in by applications and is not enabled by default.
libcurl's cookie parser has no Public Suffix awareness, so apart from rejecting TLDs from being allowed it might still allow cookies for domains that are otherwise widely rejected by ordinary browsers. See https://publicsuffix.org/ for details.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2014-3620 to this issue.
CWE-201: Information Exposure Through Sent Data
Severity: High
AFFECTED VERSIONS
- Affected versions: from libcurl 7.31.0 to and including 7.37.1
- Not affected versions: libcurl < 7.31.0 and libcurl >= 7.38.0
- Introduced-in: https://github.com/curl/curl/commit/85b9dc8023
libcurl is used by many applications, but not always advertised as such!
SOLUTION
libcurl 7.38.0 does not accept cookies set for just a TLD. Note that it does not add any public suffix awareness apart from that.
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to curl and libcurl 7.38.0
B - Apply the patch and rebuild libcurl
C - Avoid using cookies in your application
TIMELINE
It was reported to the curl project on August 15th 2014. We contacted distros@openwall on September 1st.
libcurl 7.38.0 was released on September 10th 2014, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Tim Ruehsen
- Patched-by: Daniel Stenberg
Thanks a lot!