Project curl Security Advisory, May 26th 2021 -Permalink
libcurl can be tricked into using already freed memory when a new TLSsession is negotiated or a client certificate is requested on anexisting connection. For example, this can happen when a TLS serverrequests a client certificate on a connection that was establishedwithout one. A malicious server can use this in rare unfortunatecircumstances to potentially reach remote code execution in theclient.
OpenSSL can declare a "new session" for different reasons, includingthe initial TLS handshake completion, TLS 1.2 (or earlier)renegotiation, or TLS 1.3 client certificate requests. When libcurl atruntime sets up support for session ID caching on a connection usingOpenSSL, it stores pointers to the transfer in-memory object for laterretrieval when OpenSSL considers a new session to be established.
However, if the connection is used by multiple transfers (like with areused HTTP/1.1 connection or multiplexed HTTP/2 connection) that firsttransfer object might be freed before the new session is established onthat connection and then the function accesses a memory buffer thatmight be freed. When using that memory, libcurl might even call afunction pointer in the object, making it possible for a remote codeexecution if the server could somehow manage to get crafted memorycontent into the correct place in memory.
The flaw can only happen in libcurl built to use OpenSSL (or one ofits forks).
The Common Vulnerabilities and Exposures (CVE) project has assignedthe name CVE-2021-22901 to this issue.
CWE-416: Use After Free
Severity: High
libcurl built to use OpenSSL (BoringSSL and libressl work thesame)
A multi interface using application
One of the following:
create and use a first easy handle to do HTTP/1.1 over TLS to amalicious server
free that easy handle withcurl_easy_cleanup()
create and use a second easy handle to do HTTP/1.1 over TLS withto the same server such that the TLS connection is reused
or
more than one concurrent easy handle created that do HTTP/2 overa TLS connection to a malicious server,
thefirst easy handle to use the connection must befreed withcurl_easy_cleanup()
at least one easy handle remaining in use of the sameconnection
The attacking server needs to figure out heap address details inorder to know what payload contents to provide
The necessary exact memory address in the heap gets populated bymemory contents controlled by the server
The attacker starts a new handshake (on TLS 1.2 or earlier), orsends a TLS 1.3 client certificate request, or otherwise triggersOpenSSL to consider a new session to be established
For a remote code execution, the client needs to perform (potentiallymany) more transfers (and thus have more easy handles) to allow theserver to place crafted contents into heap memory. Instead of remotecode execution, the client could instead crash or otherwise experienceundefined behavior.
Also note that libcurl is used by many applications, and not alwaysadvertised as such.
When the transfer is detached from the connection, it clears theassociation to it from the session ID cache logic.
A - Upgrade curl to version7.77.0
B - Apply the patch to your local version
C - Build libcurl to use another TLS backend
This issue was reported to the curl project on April 29, 2021.
This advisory was posted on May 26, 2021.
Thanks a lot!