Re: SECURITY VULNERABILITY: inappropriate GSSAPI delegation
Date: Thu, 07 Jul 2011 15:14:15 -0400
Daniel Stenberg wrote:
> libcurl inappropriate GSSAPI delegation
> Project cURL Security Advisory, June 23rd 2011
> 1. VULNERABILITY
> When doing GSSAPI authentication, libcurl unconditionally performs
> credential delegation. This hands the server a copy of the client's
> credentials, allowing the server to impersonate the client to any other
> using the same GSSAPI mechanism. This is obviously a very sensitive
> operation, which should only be done when the user explicitly so directs.
> The GSS/Negotiate feature is only used by libcurl for HTTP
> authentication if
> told to, and only if libcurl was built with a library that provides the
> GSSAPI. Many builds of libcurl don't have GSS enabled.
> There is no known exploit for this problem.
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> CVE-2011-2192 to this issue.
> 2. AFFECTED VERSIONS
> Affected versions: curl 7.10.6 to and including 7.21.6
> Not affected versions: curl < 7.10.6 and >= 7.21.7
> Also note that libcurl is used by many applications, and not always
> advertised as such.
> 3. THE SOLUTION
> libcurl 7.21.7 avoids setting the option that selects delegation.
> 4. RECOMMENDATIONS
> We suggest you take one of the following actions immediately, in order of
> A - Upgrade to curl and libcurl 7.21.7
> B - Apply this patch and rebuild libcurl
> C - Disable credential forwarding. Assuming the GSSAPI mechanism is
> Kerberos, users can acquire an initial credential (TGT) which is not
> forwardable. On Unix platforms, both the MIT and Heimdal versions of
> kinit use the -F flag for this (note the capital "F"; -f does the
> opposite!). You can also set this as a global default in /etc/krb5.conf
> (or wherever that file lives in a particular installation):
> forwardable = no
> D - Stop using GSS/Negotiate
> 5. TIME LINE
> Richard Silverman realized the problem exists and reported it to us on June
> 6th 2011.
> We discussed solutions and a first patch was written on June 8th.
> curl 7.21.7 was released on June 23rd 2011, coordinated with the
> of this this flaw.
> 6. CREDITS
> Reported to us by Richard Silverman. Thanks a lot!
> Daniel Stenberg wrote the primary patch and this advisory. Additional
> help and valuable feedback provided by Dan Fandrich and Julien Chaffraix.
This completely disables delegation in libcurl. Are there plans to add
an option for this or would you accept a patch to add this? The freeipa
project needs to be able to do delegation in libcurl.
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2011-07-07