curl / Docs / curl CVEs / TELNET stack contents disclosure again
Awarded 800 USD

CVE-2021-22925

TELNET stack contents disclosure again

Project curl Security Advisory, July 21st 2021 - Permalink

VULNERABILITY

curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers.

Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.

This could happen because curl did not call and use sscanf() correctly when parsing the string provided by the application.

The previous curl security vulnerability CVE-2021-22898 is almost identical to this one but the fix was insufficient so this security vulnerability remained.

INFO

There was a previous attempt to fix this issue in curl 7.77.0 but it was not done proper.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22925 to this issue.

CWE-457: Use of Uninitialized Variable

Severity: Medium

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such.

SOLUTION

Use sscanf() properly and only use properly filled-in buffers.

RECOMMENDATIONS

A - Upgrade curl to version 7.78.0

B - Apply the patch to your local version

C - Avoid using CURLOPT_TELNETOPTIONS

TIMELINE

This issue was reported to the curl project on June 11, 2021.

This advisory was posted on July 21, 2021.

CREDITS

Thanks a lot!