CVE-2021-22925
TELNET stack contents disclosure again
Project curl Security Advisory, July 21st 2021 - Permalink
VULNERABILITY
curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers.
Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.
This could happen because curl did not call and use sscanf() correctly when parsing the string provided by the application.
The previous curl security vulnerability CVE-2021-22898 is almost identical to this one but the fix was insufficient so this security vulnerability remained.
INFO
There was a previous attempt to fix this issue in curl 7.77.0 but it was not done proper.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22925 to this issue.
CWE-457: Use of Uninitialized Variable
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 7.7 to and including 7.77.0
- Not affected versions: curl < 7.7 and curl >= 7.78.0
- Introduced-in: https://github.com/curl/curl/commit/a1d6ad2610
libcurl is used by many applications, but not always advertised as such.
SOLUTION
Use sscanf() properly and only use properly filled-in buffers.
RECOMMENDATIONS
A - Upgrade curl to version 7.78.0
B - Apply the patch to your local version
C - Avoid using CURLOPT_TELNETOPTIONS
TIMELINE
This issue was reported to the curl project on June 11, 2021.
This advisory was posted on July 21, 2021.
CREDITS
- Reported-by: Red Hat Product Security
- Patched-by: Red Hat Product Security
Thanks a lot!