CVE-2022-27775 - Information Disclosure Vulnerability in Curl: Reusing Connections with Different IPv6 Zone IDs

The CVE-2022-27775 exposes an information disclosure vulnerability in curl, specifically in versions 7.65. to 7.82.. If exploited, this vulnerability allows an attacker to reuse connections in the connection pool that have different IPv6 zone IDs. As a result, sensitive information may be leaked to unauthorized parties. This post will provide details about the exploit, including some code snippets, and links to original references.

Exploit Details

Curl is one of the most widely used command-line tools and libraries for transferring data over various protocols. In versions 7.65. to 7.82., curl incorrectly reuses connections when handling IPv6 addresses with different zone IDs in the connection pool. The connection reuse leads to potential information disclosure as curl might send data intended for one connection to another unauthorized one.

The issue is particularly relevant for systems that rely on IPv6 scoped addresses, such as link-local addresses, with specified zone IDs. When curl processes these IPv6 addresses, it fails to distinguish between connections with different zone IDs, causing potential information leakage.

The following code snippet demonstrates an incorrect connection reuse for IPv6 addresses

/* CVE-2022-27775: curl connection reuse bug for IPv6 with different zone IDs */
CURL *curl_handle_1, *curl_handle_2;
CURLcode result;
curl_global_init(CURL_GLOBAL_DEFAULT);
curl_handle_1 = curl_easy_init();
curl_handle_2 = curl_easy_init();
if(curl_handle_1 && curl_handle_2) {
  curl_easy_setopt(curl_handle_1, CURLOPT_URL, "https://[fe80::1%25en]/";);
  curl_easy_setopt(curl_handle_2, CURLOPT_URL, "https://[fe80::1%25en1]/";);
  result = curl_easy_perform(curl_handle_1);
  if(result != CURLE_OK)
    fprintf(stderr, "Curl 1 error: %s\n", curl_easy_strerror(result));
  result = curl_easy_perform(curl_handle_2);
  if(result != CURLE_OK)
    fprintf(stderr, "Curl 2 error: %s\n", curl_easy_strerror(result));
  curl_easy_cleanup(curl_handle_1);
  curl_easy_cleanup(curl_handle_2);
}
curl_global_cleanup();

In this example, the code creates two curl handles pointing to the same IPv6 address but with different zone IDs. The vulnerability causes curl to reuse the first connection in the second handle, leading to information disclosure.

Original References and Additional Resources

- CVE Entry for CVE-2022-27775
- Curl Security Advisory
- Curl GitHub Repository

Mitigation / Solution

The curl project has released a patch to address this vulnerability in version 7.83.. Users of affected curl versions are advised to upgrade to the latest version as soon as possible. You can download the latest version of curl from their official website or use your operating system's package manager to update your curl installation.

To minimize the risk of information disclosure in the meantime, users can avoid using IPv6 scoped addresses with different zone IDs in their curl requests. Monitoring network traffic for connection reuse with different IPv6 zone IDs may also be an effective short-term measure for detecting potential exploits in your environment.

Conclusion

The information disclosure vulnerability in curl (CVE-2022-27775) could lead to unauthorized access to sensitive data by reusing connections with different IPv6 zone IDs. Developers and users of curl should be aware of this exploit and follow the recommended steps to mitigate the risk. The provided resources and code snippets should help you understand the issue and the necessary actions for prevention.

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 08/02/2022 03:15:00 UTC