cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SECURITY VULNERABILITY: inappropriate GSSAPI delegation

From: Rob Crittenden <rcritten_at_redhat.com>
Date: Thu, 07 Jul 2011 15:14:15 -0400

Daniel Stenberg wrote:
> libcurl inappropriate GSSAPI delegation
> =======================================
>
> Project cURL Security Advisory, June 23rd 2011
> http://curl.haxx.se/docs/security.html
>
> 1. VULNERABILITY
>
> When doing GSSAPI authentication, libcurl unconditionally performs
> credential delegation. This hands the server a copy of the client's
> security
> credentials, allowing the server to impersonate the client to any other
> using the same GSSAPI mechanism. This is obviously a very sensitive
> operation, which should only be done when the user explicitly so directs.
>
> The GSS/Negotiate feature is only used by libcurl for HTTP
> authentication if
> told to, and only if libcurl was built with a library that provides the
> GSSAPI. Many builds of libcurl don't have GSS enabled.
>
> There is no known exploit for this problem.
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name
> CVE-2011-2192 to this issue.
>
> 2. AFFECTED VERSIONS
>
> Affected versions: curl 7.10.6 to and including 7.21.6
> Not affected versions: curl < 7.10.6 and >= 7.21.7
>
> Also note that libcurl is used by many applications, and not always
> advertised as such.
>
> 3. THE SOLUTION
>
> libcurl 7.21.7 avoids setting the option that selects delegation.
>
> 4. RECOMMENDATIONS
>
> We suggest you take one of the following actions immediately, in order of
> preference:
>
> A - Upgrade to curl and libcurl 7.21.7
>
> B - Apply this patch and rebuild libcurl
>
> http://curl.haxx.se/curl-gssapi-delegation.patch
>
> C - Disable credential forwarding. Assuming the GSSAPI mechanism is
> Kerberos, users can acquire an initial credential (TGT) which is not
> forwardable. On Unix platforms, both the MIT and Heimdal versions of
> kinit use the -F flag for this (note the capital "F"; -f does the
> opposite!). You can also set this as a global default in /etc/krb5.conf
> (or wherever that file lives in a particular installation):
>
> [libdefaults]
> forwardable = no
>
> D - Stop using GSS/Negotiate
>
> 5. TIME LINE
>
> Richard Silverman realized the problem exists and reported it to us on June
> 6th 2011.
>
> We discussed solutions and a first patch was written on June 8th.
>
> curl 7.21.7 was released on June 23rd 2011, coordinated with the
> publication
> of this this flaw.
>
> 6. CREDITS
>
> Reported to us by Richard Silverman. Thanks a lot!
>
> Daniel Stenberg wrote the primary patch and this advisory. Additional
> help and valuable feedback provided by Dan Fandrich and Julien Chaffraix.
>

This completely disables delegation in libcurl. Are there plans to add
an option for this or would you accept a patch to add this? The freeipa
project needs to be able to do delegation in libcurl.

thanks

rob
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-07-07