[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY ADVISORY] curl: FTP-KRB bad message verification
From: Daniel Stenberg <daniel () haxx ! se>
Date: 2022-06-27 6:21:14
Message-ID: 76n529n8-qppo-10o7-4s28-1s26009n30 () unkk ! fr
[Download RAW message or body]
CVE-2022-32208: FTP-KRB bad message verification
================================================
Project curl Security Advisory, June 27th 2022 -
[Permalink](https://curl.se/docs/CVE-2022-32208.html)
VULNERABILITY
-------------
When curl does FTP transfers secured by krb5, it handles message verification
failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack
to go unnoticed and even allows it to inject data to the client.
We are not aware of any exploit of this flaw.
INFO
----
CVE-2022-32208 was introduced in [commit
54967d2a3a](https://github.com/curl/curl/commit/54967d2a3a), shipped
in curl 7.16.4.
This flaw typically makes curl insert `599 ` (+ terminating null) into the
data where it detects the error, then the attackers data. It forces the
attacker to be somewhat creative to handle this initial hard-coded 5 byte
sequence of "junk".
FTP-KRB is a rarely used feature.
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel
Severity: Low
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.16.4 to and including 7.83.1
- Not affected versions: curl < 7.16.4 and curl >= 7.84.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
------------
A [fix for CVE-2022-32208](https://github.com/curl/curl/commit/6ecdf5136b52af7)
RECOMMENDATIONS
--------------
A - Upgrade curl to version 7.84.0
B - Apply the patch to your local version
C - Do not use KRB-FTP
TIMELINE
--------
This issue was reported to the curl project on June 2, 2022. We contacted
distros@openwall on June 20.
libcurl 7.84.0 was released on June 27 2022, coordinated with the publication
of this advisory.
CREDITS
-------
This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.
Thanks a lot!
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic