Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / Windows OpenSSL engine code injection
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 200 USD

CVE-2019-5443

Windows OpenSSL engine code injection

Project curl Security Advisory, June 24th 2019 - Permalink

VULNERABILITY

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that makes curl automatically run the code (as an OpenSSL "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.

This flaw exists in the official curl-for-windows binaries built and hosted by the curl project (all versions up to and including 7.65.1_1). It does not exist in the curl executable shipped by Microsoft, bundled with Windows 10. It possibly exists in other curl builds for Windows too that uses OpenSSL.

The curl project has provided official curl executable builds for Windows since late August 2018.

There exists proof of concept exploits of this flaw.

INFO

This bug sneaked in partly due to insecure default build options in OpenSSL when built cross-compiled and partly due to a misleading commit message in the curl commit that made it possible to disable this feature.

This bug does not exist in the curl or libcurl source code but in the scripts for the Windows build.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-5443 to this issue.

CWE-94: Code Injection

Severity: High

AFFECTED VERSIONS

SOLUTION

Replace your downloaded curl version on Windows with the updated download package from the curl site.

The build fix for curl-for-win correcting this flaw is in this commit. It completely disables curl's ability to load an OpenSSL config when invoked.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to a fixed curl executable

B - Remove curl executable downloaded from curl.se and instead use the one shipped by Microsoft in Windows 10

TIMELINE

The issue was reported to the curl project on June 12, 2019. The fix was done, verified and communicated with the reporter on June 12, 2019.

While planning the release schedule of this advisory and coordinating with other affected projects, we discovered that this exact flaw had already been published and discussed in public before we were informed about it. A few other OpenSSL-using projects on Windows also had already fixed their builds for this exact problem. Realizing this, we switched gears and decided to publish as soon as possible to minimize user impact.

curl 7.65.1_2 for Windows was uploaded and made available on June 21 2019 - the older, vulnerable builds, were removed from the site at the same time.

This advisory was posted on June 24th 2019.

CREDITS

OpenSSL patch by Viktor Szakats.

Thanks a lot!