CVE-2023-27538 - Authentication Bypass Vulnerability in libcurl affecting SSH Connections

A newly discovered vulnerability in libcurl, a critical library used in numerous applications and appliances, can lead to the reuse of wrong SSH connections, effectively bypassing the intended authentication mechanism. The vulnerability has been designated as CVE-2023-27538, and it affects libcurl versions before v8...

The issue arises when an SSH option has been modified, which should have effectively prevented the reuse of a previously established SSH connection. However, due to an oversight in the configuration check, two SSH settings are omitted, allowing for the unauthorized reuse of an inappropriate connection.

Understanding the vulnerability

libcurl is a component used in a wide range of applications to perform network communications, downloading files, or to manipulate URLs. It is often utilized for the purpose of handling SSH connections, which provide a secure way for accessing and managing remote devices, networks, or systems.

The vulnerability revolves around the mechanism used by libcurl to handle and maintain a pool of previously used SSH connections. These connections are intended to be reused for subsequent transfers, provided that their configurations match. However, due to an issue in this process, certain mishandled SSH settings can lead to incorrect connection reuse.

As a demonstration of the vulnerability, consider the following example making use of libCurl in C

#include <curl/curl.h>

int main()
{
  CURL *handle;
  CURLcode result;

  curl_global_init(CURL_GLOBAL_DEFAULT);
  handle = curl_easy_init();

  if (handle) {
    curl_easy_setopt(handle, CURLOPT_URL, "sftp://example.com/path/to/section1");
    curl_easy_setopt(handle, CURLOPT_USERNAME, "user1");
    curl_easy_setopt(handle, CURLOPT_PASSWORD, "password1");

    // Perform an SFTP operation here

    // Change the username for the second operation
    curl_easy_setopt(handle, CURLOPT_USERNAME, "user2");
    curl_easy_setopt(handle, CURLOPT_PASSWORD, "password2");
    curl_easy_setopt(handle, CURLOPT_URL, "sftp://example.com/path/to/section2");

    // Perform an SFTP operation here, but the wrong connection (to section1) might still be used

    curl_easy_cleanup(handle);
  }

  curl_global_cleanup();
  return ;
}

In the above code snippet, a first SFTP operation is performed with user1's credentials. The second operation using user2's credentials should no longer be allowed to reuse the previous connection. However, due to the mentioned issue with libcurl, this might not always be the case, potentially leading to an authentication bypass.

Original references

1. The vulnerability announcement and details were published by the libcurl team here: https://curl.se/docs/CVE-2023-27538.html
2. A patch fixing the issue can be found at the libcurl GitHub repository: https://github.com/curl/curl/commit/6c9d6bf48e66110

Exploit Details

At the time of writing, no known exploits have been observed in the wild. Nevertheless, it is essential for developers and infrastructure teams to apply the patch as soon as possible or upgrade to libcurl v8...

To sum up, CVE-2023-27538 is a high-impact vulnerability that affects all libcurl versions before v8... The issue can lead to an authentication bypass and, therefore, demands prompt attention to ensure that the affected systems are secured against potential threats. Upgrading to libcurl v8.. or applying the patch is the recommended course of action to mitigate the risks posed by this vulnerability.

Timeline

Published on: 03/30/2023 20:15:00 UTC
Last modified on: 04/21/2023 23:15:00 UTC