[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY ADVISORY] curl: HSTS bypass via trailing dot
From:       Daniel Stenberg <daniel () haxx ! se>
Date:       2022-05-11 6:42:11
Message-ID: q8n331np-1qo6-o367-n636-o5q33o0o29 () unkk ! fr
[Download RAW message or body]

HSTS bypass via trailing dot
============================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-30115.html)

VULNERABILITY
-------------

curl's HSTS check could be bypassed to trick it to keep using HTTP.

Using its HSTS support, curl can be instructed to use HTTPS directly instead
of using an insecure clear-text HTTP step even when HTTP is provided in the
URL. This mechanism could be bypassed if the host name in the given URL used a
trailing dot while not using one when it built the HSTS cache. Or the other
way around - by having the trailing dot in the HSTS cache and *not* using the
trailing dot in the URL.

Since trailing dots in host names are somewhat special, many sites work
equally fine with or without a trailing dot present.

We are not aware of any exploit of this flaw.

INFO
----

This flaw was introduced in [commit
b27ad8e1d3e68e](https://github.com/curl/curl/commit/b27ad8e1d3e68e), shipped
in curl 7.82.0 when the treatment of trailing dot host names was changed.

Similar issues have been raised in the past for
[Firefox](https://www.mozilla.org/en-US/security/advisories/mfsa2015-13/) and
for [Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=461481).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-30115 to this issue.

CWE-319: Cleartext Transmission of Sensitive Information

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.82.0 to and including 7.83.0
- Not affected versions: curl < 7.82.0 and curl >= 7.83.1

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A [fix for CVE-2022-30115](https://github.com/curl/curl/commit/fae6fea209a2d4d)

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 7.83.1

  B - Apply the patch to your local version

  C - Stick to always using `HTTPS://` in URLs

TIMELINE
--------

This issue was reported to the curl project on May 3, 2022. We contacted
distros@openwall on May 5.

libcurl 7.83.1 was released on May 11 2022, coordinated with the publication
of this advisory.

CREDITS
-------

This issue was reported by Axel Chong. Patched by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
[prev in list] [next in list] [prev in thread] [next in thread]