En

curl官网安全更新(2021-09-15)

来源:curl官网 发布日期:2021-09-15 阅读次数:7791 评论:0

基本信息

发布日期:2021-09-15(官方当地时间)

更新类型:安全更新

更新版本:未知

感知时间:2021-09-15 14:47:03

风险等级:中危

情报贡献:TSRC

更新标题

STARTTLS protocol injection via MITM

更新详情

curl / Docs / Security Problems / STARTTLS protocol injection via MITMRelated:
Bug Bounty
Changelog
Donate
FAQ
Security Problems
Security Process
Vulnerabilities TableSTARTTLS protocol injection via MITM
Project curl Security Advisory, September 15th 2021 - Permalink
VULNERABILITY
When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple "pipelined" responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.
Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
Over POP3 and IMAP an attacker can inject fake response data.
We are not aware of any case of this flaw having been exploited in the wild.
INFO
This flaw was first introduced in commit ec3bb8f727405.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22947 to this issue.
CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Severity: Medium
AFFECTED VERSIONSAffected versions: curl 7.20.0 to and including 7.78.0
Not affected versions: curl < 7.20.0 and curl >= 7.79.0Also note that libcurl is used by many applications, and not always advertised as such.
THE SOLUTION
A fix for CVE-2021-22947
RECOMMENDATIONS
A - Upgrade curl to version 7.79.0
B - Apply the patch to your local version
C - Do not use IMAP, POP3, SMTP or FTP with explicit TLS
TIMELINE
This issue was reported to the curl project on September 7, 2021.
This advisory was posted on September 15, 2021.
CREDITS
This issue was reported and patched by Patrick Monnerat.
Thanks a lot!

软件描述

cURL是一个利用URL语法在命令行下工作的文件传输工具,1997年首次发行。它支持文件上传和下载,所以是综合传输工具,但按传统,习惯称cURL为下载工具

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入