CVE-2023-27535: Authentication Bypass Vulnerability in libcurl FTP Connection Reuse May Lead to Unauthorized Access

In the world of web security, a significant vulnerability has been discovered in libcurl, a popular open-source library often used for transferring data with URLs. This library is a backbone of many web applications and programming languages, which makes it essential to address and patch this vulnerability as soon as possible. The vulnerability in question (CVE-2023-27535) revolves around an authentication bypass issue within the FTP connection reuse feature present in libcurl versions prior to 8... This bypass may lead to unauthorized access to sensitive information as wrong credentials can be used during subsequent transfers.

To better understand how this vulnerability works, let's first discuss the FTP connection reuse feature in libcurl. The library maintains a pool of previously created connections that can be reused whenever a connection needs not only to be established but also matches the current configuration. This serves to reduce the overhead of establishing new connections, subsequently streamlining the performance of applications that rely on libcurl.

However, the problem lies in the fact that certain FTP configurations, specifically the following settings, were not being included in the configuration match checks:

CURLOPT_USE_SSL

As a result of this oversight, connections with these settings could match too easily, causing libcurl to use the wrong credentials during a transfer. This constitutes a significant security risk as attackers could potentially use this vulnerability to bypass authentication and gain unauthorized access to sensitive information.

To demonstrate this vulnerability, consider the following code snippet as an example

#include <stdio.h>
#include <curl/curl.h>

int main(void) {
  // Configure the basic libcurl settings.
  CURL *easyhandle_one = curl_easy_init();
  curl_easy_setopt(easyhandle_one, CURLOPT_URL, "ftp://example.com");
  curl_easy_setopt(easyhandle_one, CURLOPT_USERNAME, "username_one");
  curl_easy_setopt(easyhandle_one, CURLOPT_PASSWORD, "password_one");
  curl_easy_perform(easyhandle_one);

  // Reuse the same easyhandle configuration.
  CURL *easyhandle_two = curl_easy_init();
  curl_easy_setopt(easyhandle_two, CURLOPT_URL, "ftp://example.com");
  curl_easy_setopt(easyhandle_two, CURLOPT_USERNAME, "username_two");
  curl_easy_setopt(easyhandle_two, CURLOPT_PASSWORD, "password_two");
  curl_easy_setopt(easyhandle_two, CURLOPT_FTP_ACCOUNT, "account_two");
  curl_easy_setopt(easyhandle_two, CURLOPT_USE_SSL, CURLUSESSL_ALL);
  curl_easy_perform(easyhandle_two);

  // Cleanup.
  curl_easy_cleanup(easyhandle_one);
  curl_easy_cleanup(easyhandle_two);
  curl_global_cleanup();
  return ;
}

In this example, an attacker could potentially leverage the vulnerability during the reuse of the easyhandle configuration, even though different settings are used.

Fortunately, the libcurl team has already addressed this issue in version 8.., making it crucial for users and developers to update their libcurl installations promptly. The official patch can be found in the following GitHub commit:

https://github.com/curl/curl/commit/XXXX

Additionally, the libcurl team has released detailed information about this vulnerability, including its scope and potential impact, on their website:

https://curl.se/docs/CVE-2023-27535.html

In conclusion, users of libcurl should upgrade to version 8.. or newer as soon as possible, especially those who rely on the library's FTP connection reuse feature, to avoid the risk posed by the CVE-2023-27535 vulnerability. By staying informed and vigilant, developers and users alike can protect their applications and data from harm.

Timeline

Published on: 03/30/2023 20:15:00 UTC
Last modified on: 04/21/2023 23:15:00 UTC