Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / FTP-KRB bad message verification
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 480 USD

CVE-2022-32208

FTP-KRB bad message verification

Project curl Security Advisory, June 27th 2022 - Permalink

VULNERABILITY

When curl does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

INFO

CVE-2022-32208 was introduced in commit 54967d2a3a, shipped in curl 7.16.4.

This flaw typically makes curl insert 599 (+ terminating null) into the data where it detects the error, then the attackers data. It forces the attacker to be somewhat creative to handle this initial hard-coded 5 byte sequence of "junk".

FTP-KRB is a rarely used feature.

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Severity: Low

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

SOLUTION

RECOMMENDATIONS

A - Upgrade curl to version 7.84.0

B - Apply the patch to your local version

C - Do not use KRB-FTP

TIMELINE

This issue was reported to the curl project on June 2, 2022. We contacted distros@openwall on June 20.

libcurl 7.84.0 was released on June 27 2022, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!