A security vulnerability has been discovered in the popular command-line tool, curl, affecting its handling of HSTS (HTTP Strict Transport Security) cache entries when used by applications that enable HSTS and use URLs with the insecure HTTP:// scheme. This vulnerability has been assigned the ID CVE-2024-9681.

In certain scenarios, the expiry time for a subdomain might overwrite a parent domain's cache entry, causing the HSTS policy for the parent domain to end sooner or later than intended. This article will provide a detailed explanation of the vulnerability, along with code snippets and original references to better understand the issue and its implications.

To dive deeper, you can read up on the original report and the curl source code repository.

Affected Scenario

An application using curl with HSTS enabled and using URLs with the insecure HTTP:// scheme is susceptible to this vulnerability when it performs transfers with hosts like x.example.com as well as example.com, where the first host is a subdomain of the second host.

The HSTS cache must contain entries for the domains involved for this issue to occur, which can happen by populating the cache manually or by having previous HTTPS accesses done.

Exploit Details

Suppose x.example.com responds with a Strict-Transport-Security: header. Due to the bug, the subdomain's expiry timeout can *bleed over* and overwrite the parent domain example.com entry in curl's HSTS cache.

When this bug is triggered, HTTP accesses to example.com are converted to HTTPS for a different period than what was asked for by the origin server. As a result, if example.com stops supporting HTTPS at its expiry time, curl might fail to access http://example.com until the wrongly set timeout expires. Alternatively, the bug can also cause the parent's entry to expire earlier, making curl inadvertently switch back to insecure HTTP earlier than intended.

Here's a code snippet demonstrating the issue

// curl_hsts_bug.c

#include <curl/curl.h>

int main() {
    CURL *curl_handle;
    CURLcode res;

    curl_global_init(CURL_GLOBAL_DEFAULT);
    curl_handle = curl_easy_init();

    // Enable HSTS
    curl_easy_setopt(curl_handle, CURLOPT_HSTS_CTRL, CURLHSTS_ENABLE);

    // Perform transfer with x.example.com
    curl_easy_setopt(curl_handle, CURLOPT_URL, "http://x.example.com";);
    res = curl_easy_perform(curl_handle);

    // Perform transfer with example.com
    curl_easy_setopt(curl_handle, CURLOPT_URL, "http://example.com");
    res = curl_easy_perform(curl_handle);

    // Cleanup
    curl_easy_cleanup(curl_handle);
    curl_global_cleanup();

    return ;
}

Remediation

To resolve this issue, users should update their curl installations to the latest version, which contains a fix for CVE-2024-9681. This will ensure that the HSTS cache entries for parent domains are not inadvertently overwritten by subdomain expiry times. Moreover, users should also consider configuring their server environment to support HTTPS—this can help in mitigating related security risks.

Conclusion

CVE-2024-9681 is a security vulnerability in curl that affects how HSTS cache entries are managed, potentially allowing subdomain expiry times to overwrite parent domain entries. This can cause the parent domain to switch to HTTPS for a different period than intended or revert to HTTP earlier than intended. Developers and server administrators using curl should update their installations promptly to avoid being affected by this vulnerability.

Timeline

Published on: 11/06/2024 08:15:03 UTC
Last modified on: 12/13/2024 14:15:22 UTC