[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY ADVISORY] curl OAUTH2 bearer bypass in connection re-use
From:       Daniel Stenberg <daniel () haxx ! se>
Date:       2022-04-27 6:40:18
Message-ID: nno31819-r6r5-o5q5-53q1-285qn67925p () unkk ! fr
[Download RAW message or body]

OAUTH2 bearer bypass in connection re-use
=========================================

Project curl Security Advisory, April 27th 2022 -
[Permalink](https://curl.se/docs/CVE-2022-22576.html)

VULNERABILITY
-------------

libcurl might reuse OAUTH2-authenticated connections without properly making
sure that the connection was authenticated with the same credentials as set
for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S),
POP3(S) and LDAP(S) (openldap only).

libcurl maintains a pool of live connections after a transfer has completed
(sometimes called the connection cache). This pool of connections is then gone
through when a new transfer is requested and if there is a live connection
available that can be reused, it is preferred instead of creating a new one.

Due to this security vulnerability, a connection that is successfully created
and authenticated with a user name + OAUTH2 bearer could subsequently be
erroneously reused even for user + [other OAUTH2 bearer], even though that
might not even be a valid bearer. This could lead to an authentication bypass,
either by mistake or by a malicious actor.

We are not aware of any exploit of this flaw.

INFO
----

This flaw was introduced in curl in 2013 with the commit series that started
with [19a05c908f7d8b](https://github.com/curl/curl/commit/19a05c908f7d8b).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-22576 to this issue.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.33.0 to and including 7.82.0
- Not affected versions: curl < 7.33.0 and curl >= 7.83.0

Note that libcurl is used by many applications, but not always advertised as
such.

THE SOLUTION
------------

A [fix for CVE-2022-22576](https://github.com/curl/curl/commit/852aa5ad351ea53e5f)

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.83.0

  B - Apply the patch to your version and rebuild

  C - Set the bearer string as password *as well* when using OAUTH2 bearer
      authentication with these protocols.

TIME LINE
---------

It was first reported to the curl project on March 18 2022. We contacted
distros@openwall on April 18.

libcurl 7.83.0 was released on April 27 2022, coordinated with the
publication of this advisory.

CREDITS
-------

Reported and patched by Patrick Monnerat.

Thanks a lot!

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
[prev in list] [next in list] [prev in thread] [next in thread]