Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / wrong connect-only connection
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 500 USD

CVE-2020-8231

wrong connect-only connection

Project curl Security Advisory, August 19th 2020 - Permalink

VULNERABILITY

An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.

CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and "easy handle". It remembers the connection using a pointer to the internal connectdata struct in memory.

If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a new connection might end up getting the exact same memory address as the now closed connect-only connection.

If after those operations, the application then wants to use the original transfer's connect-only setup to for example use curl_easy_send() to send raw data over that connection, libcurl could erroneously find an existing connection still being alive at the address it remembered since before even though this is now a new and different connection.

The application could then accidentally send data over that connection which wasn't at all intended for that recipient, entirely unknowingly.

INFO

This flaw cannot trigger for users of the curl tool but only for applications using libcurl and the CURLOPT_CONNECT_ONLY option.

The flaw only happens if the exact same memory address is re-used again for the new connection as for the original connect-only connection.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2020-8231 to this issue.

CWE-825: Expired Pointer Dereference

Severity: Low

AFFECTED VERSIONS

SOLUTION

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl to version 7.72.0

B - Apply the patch on your curl version and rebuild

C - Do not use CURLOPT_CONNECT_ONLY

TIMELINE

This issue was first reported to the curl project on July 31, 2020.

This advisory was posted on August 19th 2020.

CREDITS

Thanks a lot!