CVE-2021-22926
CURLOPT_SSLCERT mix-up with Secure Transport
Project curl Security Advisory, July 21st 2021 - Permalink
VULNERABILITY
libcurl-using applications can ask for a specific client certificate
to be used in a transfer. This is done with the
CURLOPT_SSLCERT option (--cert with the
command line tool).
When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a filename - using the same option. If the name exists as a file, it is used instead of by name.
If the application runs with a current working directory that is
writable by other users (like /tmp), a malicious user can
create a filename with the same name as the app wants to use by name,
and thereby trick the application to use the file based cert instead of
the one referred to by name making libcurl send the wrong client
certificate in the TLS connection handshake.
INFO
The fixed libcurl version now instead first checks for a certificate in the key chain using the specified name and only if one does not exist, it checks for a filename.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22926 to this issue.
CWE-295: Improper Certificate Validation
Severity: Medium
AFFECTED VERSIONS
Using libcurl on macOS built to use Secure Transport.
- Affected versions: curl 7.33.0 to and including 7.77.0
- Not affected versions: curl < 7.33.0 and curl >= 7.78.0
- Introduced-in: https://github.com/curl/curl/commit/d2fe616e7e
Also note that libcurl is used by many applications, and not always advertised as such.
SOLUTION
Filenames used in this option must contain at least one slash.
RECOMMENDATIONS
A - Upgrade curl to version 7.78.0
B - Apply the patch to your local version
C - Do now run your application in directories where other users can inject files.
TIMELINE
This issue was reported to the curl project on June 15, 2021.
This advisory was posted on July 21, 2021.
CREDITS
- Reported-by: Harry Sintonen
- Patched-by: Daniel Stenberg
Thanks a lot!