FTP-KRB bad message verification
Project curl Security Advisory, June 27th 2022 - Permalink
When curl does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
This flaw typically makes curl insert
599 (+ terminating null) into the data where it detects the error, then the attackers data. It forces the attacker to be somewhat creative to handle this initial hard-coded 5 byte sequence of "junk".
FTP-KRB is a rarely used feature.
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
- Affected versions: curl 7.16.4 to and including 7.83.1
- Not affected versions: curl < 7.16.4 and curl >= 7.84.0
- Introduced-in: https://github.com/curl/curl/commit/54967d2a3a
libcurl is used by many applications, but not always advertised as such!
A - Upgrade curl to version 7.84.0
B - Apply the patch to your local version
C - Do not use KRB-FTP
This issue was reported to the curl project on June 2, 2022. We contacted distros@openwall on June 20.
libcurl 7.84.0 was released on June 27 2022, coordinated with the publication of this advisory.
- Reported-by: Harry Sintonen
- Patched-by: Daniel Stenberg
Thanks a lot!