Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
[SECURITY ADVISORY] curl: CURLOPT_SSLCERT mixup with Secure Transport
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 21 Jul 2021 09:16:21 +0200 (CEST)
CURLOPT_SSLCERT mixup with Secure Transport
===========================================
Project curl Security Advisory, July 21st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22926.html)
VULNERABILITY
-------------
libcurl-using applications can ask for a specific client certificate to be
used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert`
with the command line tool).
When libcurl is built to use the macOS native TLS library Secure Transport, an
application can ask for the client certificate by name or with a file name -
using the same option. If the name exists as a file, it will be used instead
of by name.
If the appliction runs with a current working directory that is writable by
other users (like `/tmp`), a malicious user can create a file name with the
same name as the app wants to use by name, and thereby trick the application
to use the file based cert instead of the one referred to by name making
libcurl send the wrong client certificate in the TLS connection handshake.
We are not aware of any exploit of this flaw.
INFO
Date: Wed, 21 Jul 2021 09:16:21 +0200 (CEST)
CURLOPT_SSLCERT mixup with Secure Transport
===========================================
Project curl Security Advisory, July 21st 2021 -
[Permalink](https://curl.se/docs/CVE-2021-22926.html)
VULNERABILITY
-------------
libcurl-using applications can ask for a specific client certificate to be
used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert`
with the command line tool).
When libcurl is built to use the macOS native TLS library Secure Transport, an
application can ask for the client certificate by name or with a file name -
using the same option. If the name exists as a file, it will be used instead
of by name.
If the appliction runs with a current working directory that is writable by
other users (like `/tmp`), a malicious user can create a file name with the
same name as the app wants to use by name, and thereby trick the application
to use the file based cert instead of the one referred to by name making
libcurl send the wrong client certificate in the TLS connection handshake.
We are not aware of any exploit of this flaw.
INFO
---- This flaw has existed in curl since commit [d2fe616e7e](https://github.com/curl/curl/commit/d2fe616e7e) in libcurl 7.33.0, released on October 14, 2013. The fixed libcurl version will now instead first check for a certificate in the key chain using the specified name and only if one does not exist, it will check for a file name. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22926 to this issue. CWE-295: Improper Certificate Validation Severity: Medium AFFECTED VERSIONS ----------------- Using libcurl on macOS built to use Secure Transport. - Affected versions: curl 7.33.0 to and including 7.77.0 - Not affected versions: curl < 7.33.0 and curl >= 7.78.0 Also note that libcurl is used by many applications, and not always advertised as such. THE SOLUTION ------------ File names used in this option must contain at least one slash. A [fix for CVE-2021-22926](https://github.com/curl/curl/commit/fd9b40bf8dfd43edcbc0d254d613d95a11061c05) RECOMMENDATIONS -------------- A - Upgrade curl to version 7.78.0 B - Apply the patch to your local version C - Do now run your application in directories where other users can inject files. TIMELINE -------- This issue was reported to the curl project on June 15, 2021. This advisory was posted on July 21, 2021. CREDITS ------- This issue was reported by Harry Sintonen. Patched by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ----------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-07-21