case insensitive password comparison
Project curl Security Advisory, November 2, 2016 - Permalink
VULNERABILITY
When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.
This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.
We are not aware of any exploit of this flaw.
INFO
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-8616 to this issue.
CWE-178: Improper Handling of Case Sensitivity
AFFECTED VERSIONS
This flaw exists in the following curl versions.
- Affected versions: curl 7.7 to and including 7.50.3
- Not affected versions: curl < 7.7 and curl >= 7.51.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
In version 7.51.0, the comparisons are done case sensitively.
A patch for CVE-2016-8616 is available.
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 7.51.0
B - Apply the patch to your version and rebuild
TIME LINE
It was first reported to the curl project on September 23 by Cure53.
We contacted distros@openwall on October 19.
curl 7.51.0 was released on November 2 2016, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Cure53
- Patched-by: Daniel Stenberg
This vulnerability was found during a Secure Open Source audit performed by Cure53.