Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2193 FreeBSD - curl -- multiple vulnerabilities 25 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: curl Publisher: FreeBSD Operating System: FreeBSD Impact/Access: Access Confidential Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-8177 CVE-2020-8169 Original Bulletin: http://www.vuxml.org/freebsd/6bff5ca6-b61a-11ea-aef4-08002728f74c.html - --------------------------BEGIN INCLUDED TEXT-------------------- FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection curl -- multiple vulnerabilities Affected packages 7.20.0 <= curl < 7.71.0 Details VuXML ID 6bff5ca6-b61a-11ea-aef4-08002728f74c Discovery 2020-06-24 Entry 2020-06-24 curl security problems: CVE-2020-8169: Partial password leak over DNS on HTTP redirect libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s). libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP Authentication such as Basic, Digest, NTLM and similar. The credentials are set, either together with CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important detail: these strings are given to libcurl as plain C strings and they are not supposed to be URL encoded. In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format: http://user:password@host/path. In this case, the name and password are URL encoded as that's how they appear in URLs. If the options are set, they override the credentials set in the URL. Internally, this is handled by storing the credentials in the "URL object" so that there is only a single set of credentials stored associated with this single URL. When libcurl handles a relative redirect (as opposed to an absolute URL redirect) for an HTTP transfer, the server is only sending a new path to the client and that path is applied on to the existing URL. That "applying" of the relative path on top of an absolute URL is done by libcurl first generating a full absolute URL out of all the components it has, then it applies the redirect and finally it deconstructs the URL again into its separate components. This security vulnerability originates in the fact that curl did not correctly URL encode the credential data when set using one of the curl_easy_setopt options described above. This made curl generate a badly formatted full URL when it would do a redirect and the final re-parsing of the URL would then go bad and wrongly consider a part of the password field to belong to the host name. The wrong host name would then be used in a name resolve lookup, potentially leaking the host name + partial password in clear text over the network (if plain DNS was used) and in particular to the used DNS server (s). CVE-2020-8177: curl overwrite local file with -J curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line. The command line tool offers the -J option that saves a remote file using the file name present in the Content-Disposition: response header. curl then refuses to overwrite an existing local file using the same name, if one already exists in the current directory. The -J flag is designed to save a response body, and so it doesn't work together with -i and there's logic that forbids it. However, the check is flawed and doesn't properly check for when the options are used in the reversed order: first using -J and then -i were mistakenly accepted. The result of this mistake was that incoming HTTP headers could overwrite a local file if one existed, as the check to avoid the local file was done first when body data was received, and due to the mistake mentioned above, it could already have received and saved headers by that time. The saved file would only get response headers added to it, as it would abort the saving when the first body byte arrives. A malicious server could however still be made to send back virtually anything as headers and curl would save them like this, until the first CRLF-CRLF sequence appears. (Also note that -J needs to be used in combination with -O to have any effect.) https://curl.haxx.se/docs/security.html References CVE Name CVE-2020-8169 CVE Name CVE-2020-8177 URL https://curl.haxx.se/docs/CVE-2020-8169.html URL https://curl.haxx.se/docs/CVE-2020-8177.html URL https://curl.haxx.se/docs/security.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvPak+NLKJtyKPYoAQjRNhAAjBLrakAURXT+5JrkPYlwZzeja13G1/ol cvKLFwtC0KssTEaHpKgSvVNizMKih5O4cEL36/OBTHOw+pF5GoDgk0Ei6EgIJGRr nD+19Uic6FQk/H3pFafLxQofiTxzFsAHoeYs2Uj45/cNtKnPs04xCvrjLgUgu0y2 dzYbYLnBYYSQIZcLrJWo/zRmqi/Ud4a6A3PVuHS+bKx7smGsgI6DaKAuAz5NNQ1r 7fBqQ6pGm04Iunfxeo0vmu2XwjDW+mT6LGlkLwnU2gBEou6jU2jf6i0NqhA0RvXy gQKAuzLO/qYpk6nu/mUXlqxvc++orxx1hJWRguIlClUzeu/HmasT1p9+nBf3JUcg GD+JdOXEqVPURHPZ2d/rvrf+sdTYfOypy6p55LtUUb7oFzKp9YhNyx0wsbuYl9I/ GnnHFPaD7BkIH38TsakiPs8B57F3mzfjaV2XA2iYXq/uHI8dpfyXX/YkT8gR06wt uRdvNAyL5cMvflXtmf48kw8avL5w+PcEOChmGGPYCUUIF0maeWFFPnD0CAL34IuZ 4ymXVq2dJcCub9R4af4umaaZ6UWwAjZNCYyhxbxughnCg8EDlR2+lBU6Qt7uOrfo 87p3OoagcJHExFaWoQGAEXavZOMblR4C8bNJNTrEZWw8oMM4tYn7M8nKBIAuxwVF yzmCl5bw2Jw= =GJFc -----END PGP SIGNATURE-----