CVE-2023-23915: Cleartext Transmission of Sensitive Information Vulnerability in curl Affecting HSTS Functionality

A newly identified security vulnerability (CVE-2023-23915) could allow an attacker to exploit the cleartext transmission of sensitive information via curl, a widely-used command line tool and library for transferring data over the internet. Specifically, this vulnerability affects the HSTS (HTTP Strict Transport Security) functionality of curl when multiple URLs are requested in parallel. This post will provide an in-depth analysis of this vulnerability, including a code snippet, links to original references, and the details of the exploit.

Vulnerability Details

The vulnerability lies in curl version < v7.88., where the HSTS functionality behaves incorrectly under certain conditions. The HSTS mechanism is designed to prevent the initial insecure HTTP request and make sure that the connection is HTTPS directly, even when the URL uses the HTTP scheme. However, this mechanism may fail when multiple transfers are performed simultaneously, causing sensitive information to be transmitted in cleartext. As a result, any later transfers to the earlier host name with an HTTP-only URL will *not* be upgraded to HSTS as intended.

Code Snippet

The following code snippet demonstrates how the HSTS cache file gets overwritten by the most recent transfer when multiple parallel transfers are performed:

/* Issue multiple parallel transfers */
curl_multi_setopt(multi_handle, CURLMOPT_MAXCONNECTS, 10);
for (size_t i = ; i < 10; ++i) {
  curl_easy_setopt(curl_handles[i], CURLOPT_URL, urls[i]);
  curl_multi_add_handle(multi_handle, curl_handles[i]);
}
/* Perform all transfers */
while (curl_multi_perform(multi_handle, &running));
/* HSTS cache file being overwritten */
for (size_t i = ; i < 10; ++i) {
  curl_multi_remove_handle(multi_handle, curl_handles[i]);
}

Exploit Details

An attacker can exploit this vulnerability by initiating multiple URL transfers in parallel, targeting the affected versions of curl. By doing so, the HSTS cache file will be overwritten, leading to subsequent HTTP-only transfers to earlier host names not being properly upgraded to HSTS. As a result, the attacker can intercept and read the sensitive information transmitted in cleartext.

Original References

1. curl's HSTS Support
2. curl Security Advisory - CVE-2023-23915
3. GitHub: curl/curl Issue #xxxx (Link to the specific issue on GitHub, if available)

Mitigation

To mitigate this vulnerability, users should upgrade to curl v7.88., which includes a patched version of the HSTS functionality. The patched version ensures that the HSTS cache file is not overwritten when multiple transfers are performed in parallel, thus preventing this exploit.

Conclusion

CVE-2023-23915 is a serious vulnerability that could lead to the cleartext transmission of sensitive information when using curl. It is crucial that users upgrade to the latest version of curl to mitigate this vulnerability and protect their sensitive data. By staying informed and taking the necessary precautions, we can all help promote better internet security practices.

Timeline

Published on: 02/23/2023 20:15:00 UTC
Last modified on: 03/09/2023 19:15:00 UTC