cURL / Mailing Lists / curl-users / Single Mail

curl-users

[SECURITY ADVISORY] Re-using authenticated connection when unauthenticated

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 22 Apr 2015 08:07:49 +0200 (CEST)

Re-using authenticated connection when unauthenticated
======================================================

Project cURL Security Advisory, April 22nd 2015 -
[Permalink](http://curl.haxx.se/docs/adv_20150422A.html)

VULNERABILITY
-------------

libcurl keeps a pool of its last few connections around after use to
fascilitate easy, conventient and completely transparent connection re-use for
applications.

When doing HTTP requests NTLM authenticated, the entire connnection becomes
authenticated and not just the specific HTTP request which is otherwise how
HTTP works. This makes NTLM special and a subject for special treatment in the
code. With NTLM, once the connection is authenticated, no further
authentication is necessary until the connection gets closed.

libcurl's connection re-use logic will select an existing connection for
re-use when asked to do a request, and when asked to use NTLM libcurl have to
pick a connection with matching credentials only.

If a connection was first setup and used for an NTLM HTTP request with a
specific set of credentials, that same connection could later wrongly get
re-used in a subsequent HTTP request that was made to the same host - but
without having any credentials set! Since an NTLM connection was already
authenticated due to how NTLM works, the subsequent request could then get
sent over the wrong connection appearing as the initial user.

This problem is very similar to the previous problem known as
[CVE-2014-0015](http://curl.haxx.se/docs/adv_20140129.html). The main
difference this time is that the subsequent request that wrongly re-use a
connection doesn't ask for NTLM authentication.

We are not aware of any exploits of this flaw.

INFO

----
This flaw can also affect the curl command line tool if a similar operation
series is made with that.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2015-3143 to this issue.
AFFECTED VERSIONS
-----------------
- Affected versions: from libcurl 7.10.6 to and including 7.41.0
- Not affected versions: libcurl >= 7.42.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
------------
libcurl 7.42.0 makes sure that a connection that is re-used also have to have
a matching set of credentials if it would re-use a connection already using
NTLM.
A patch for this problem is available at:
     http://curl.haxx.se/CVE-2015-3143.patch
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade to curl and libcurl 7.42.0
B - Apply the patch and rebuild libcurl
C - Avoid using NTLM with libcurl
TIME LINE
---------
It was first reported to the curl project on February 24 2015. We contacted
distros_at_openwall on April 16th.
libcurl 7.42.0 was released on April 22nd 2015, coordinated with the
publication of this advisory.
CREDITS
-------
Reported by Paras Sethia
Thanks a lot!
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-22