Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2193
FreeBSD - curl -- multiple vulnerabilities
25 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: curl
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-8177 CVE-2020-8169
Original Bulletin:
http://www.vuxml.org/freebsd/6bff5ca6-b61a-11ea-aef4-08002728f74c.html
- --------------------------BEGIN INCLUDED TEXT--------------------
FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports
Collection
curl -- multiple vulnerabilities
Affected packages
7.20.0 <= curl < 7.71.0
Details
VuXML ID 6bff5ca6-b61a-11ea-aef4-08002728f74c
Discovery 2020-06-24
Entry 2020-06-24
curl security problems:
CVE-2020-8169: Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the host name
before it resolves it, potentially leaking the partial password over the
network and to the DNS server(s).
libcurl can be given a username and password for HTTP authentication when
requesting an HTTP resource - used for HTTP Authentication such as Basic,
Digest, NTLM and similar. The credentials are set, either together with
CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD.
Important detail: these strings are given to libcurl as plain C strings and
they are not supposed to be URL encoded.
In addition, libcurl also allows the credentials to be set in the URL,
using the standard RFC 3986 format: http://user:password@host/path. In this
case, the name and password are URL encoded as that's how they appear in
URLs.
If the options are set, they override the credentials set in the URL.
Internally, this is handled by storing the credentials in the "URL object"
so that there is only a single set of credentials stored associated with
this single URL.
When libcurl handles a relative redirect (as opposed to an absolute URL
redirect) for an HTTP transfer, the server is only sending a new path to
the client and that path is applied on to the existing URL. That "applying"
of the relative path on top of an absolute URL is done by libcurl first
generating a full absolute URL out of all the components it has, then it
applies the redirect and finally it deconstructs the URL again into its
separate components.
This security vulnerability originates in the fact that curl did not
correctly URL encode the credential data when set using one of the
curl_easy_setopt options described above. This made curl generate a badly
formatted full URL when it would do a redirect and the final re-parsing of
the URL would then go bad and wrongly consider a part of the password field
to belong to the host name.
The wrong host name would then be used in a name resolve lookup,
potentially leaking the host name + partial password in clear text over the
network (if plain DNS was used) and in particular to the used DNS server
(s).
CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when
using -J (--remote-header-name) and -i (--include) in the same command
line.
The command line tool offers the -J option that saves a remote file using
the file name present in the Content-Disposition: response header. curl
then refuses to overwrite an existing local file using the same name, if
one already exists in the current directory.
The -J flag is designed to save a response body, and so it doesn't work
together with -i and there's logic that forbids it. However, the check is
flawed and doesn't properly check for when the options are used in the
reversed order: first using -J and then -i were mistakenly accepted.
The result of this mistake was that incoming HTTP headers could overwrite a
local file if one existed, as the check to avoid the local file was done
first when body data was received, and due to the mistake mentioned above,
it could already have received and saved headers by that time.
The saved file would only get response headers added to it, as it would
abort the saving when the first body byte arrives. A malicious server could
however still be made to send back virtually anything as headers and curl
would save them like this, until the first CRLF-CRLF sequence appears.
(Also note that -J needs to be used in combination with -O to have any
effect.)
https://curl.haxx.se/docs/security.html
References
CVE Name CVE-2020-8169
CVE Name CVE-2020-8177
URL https://curl.haxx.se/docs/CVE-2020-8169.html
URL https://curl.haxx.se/docs/CVE-2020-8177.html
URL https://curl.haxx.se/docs/security.html
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXvPak+NLKJtyKPYoAQjRNhAAjBLrakAURXT+5JrkPYlwZzeja13G1/ol
cvKLFwtC0KssTEaHpKgSvVNizMKih5O4cEL36/OBTHOw+pF5GoDgk0Ei6EgIJGRr
nD+19Uic6FQk/H3pFafLxQofiTxzFsAHoeYs2Uj45/cNtKnPs04xCvrjLgUgu0y2
dzYbYLnBYYSQIZcLrJWo/zRmqi/Ud4a6A3PVuHS+bKx7smGsgI6DaKAuAz5NNQ1r
7fBqQ6pGm04Iunfxeo0vmu2XwjDW+mT6LGlkLwnU2gBEou6jU2jf6i0NqhA0RvXy
gQKAuzLO/qYpk6nu/mUXlqxvc++orxx1hJWRguIlClUzeu/HmasT1p9+nBf3JUcg
GD+JdOXEqVPURHPZ2d/rvrf+sdTYfOypy6p55LtUUb7oFzKp9YhNyx0wsbuYl9I/
GnnHFPaD7BkIH38TsakiPs8B57F3mzfjaV2XA2iYXq/uHI8dpfyXX/YkT8gR06wt
uRdvNAyL5cMvflXtmf48kw8avL5w+PcEOChmGGPYCUUIF0maeWFFPnD0CAL34IuZ
4ymXVq2dJcCub9R4af4umaaZ6UWwAjZNCYyhxbxughnCg8EDlR2+lBU6Qt7uOrfo
87p3OoagcJHExFaWoQGAEXavZOMblR4C8bNJNTrEZWw8oMM4tYn7M8nKBIAuxwVF
yzmCl5bw2Jw=
=GJFc
-----END PGP SIGNATURE-----