Attacker Value
Moderate
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2021-22947

Disclosure Date: September 29, 2021
CVE-2021-22947 CVSS v3 Base Score: 5.9
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got before the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker’s injected data comes from the TLS-protected server.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Common in enterpriseUnauthenticatedVulnerable in default configurationRequires physical access
Technical Analysis

Original report for this vulnerability can be found at https://curl.se/docs/CVE-2021-22947.html

This vulnerability affects curl 7.20.0 to 7.78.0 inclusive, and occurs due to the commit made at https://github.com/curl/curl/commit/ec3bb8f727405.

The bug occurs as when curl connects to a IMAP, POP3, SMTP, or FTP server using STARTTLS to upgrade the connection to a TLS connection. In these scenarios the server can send multiple responses prior to the TLS upgrade, which are then cached by curl.

Unfortunately, when upgrading to TLS, curl would not flush this queue of cached responses and instead would treat these responses as part of the TLS handshake themselves as if they were authenticated.

Attackers could use this to inject fake response data via a man in the middle (MITM) attack when the connection uses POP3 or IMAP as noted by the curl developers.

It is interesting to note that this bug was disclosed via HackerOne in September 2021 but was only fixed by Microsoft in January 2021 as noted at https://www.zerodayinitiative.com/blog/2022/1/11/the-january-2022-security-update-review, meaning there was at least a 3 month gap between the bug being public knowledge and it being fixed.

As for the exploitability of this bug, it is fairly low due to the need to be able to conduct a MITM attack against a target user. Additionally using implicit TLS instead of using STARTTLS negates this issue so attackers would have to find a connection specifically using STARTTLS.

It should be noted though that may applications use libcurl, the affected library, even if they don’t explicitly advertise it, so there is a good possibility that a fair number of apps on Windows would use this in some manner.

As a final note, its not directly clear to me why Microsoft rates this as a RCE bug but I imagine they likely found a connection between an attacker MITM’ing a specific connection for one of their apps and forging a fake response that can then be used to trigger some form of RCE. No details are provided on which app this might be though, so the specifics of this remain to be seen.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
https://github.com/curl/curl curl 7.20.0 to and including 7.78.0
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apple,
  • debian,
  • fedoraproject,
  • haxx,
  • netapp,
  • oracle,
  • siemens,
  • splunk

Products

  • cloud backup -,
  • clustered data ontap -,
  • commerce guided search 11.3.2,
  • communications cloud native core binding support function 1.11.0,
  • communications cloud native core binding support function 22.1.3,
  • communications cloud native core console 22.2.0,
  • communications cloud native core network function cloud native environment 1.10.0,
  • communications cloud native core network repository function 1.15.0,
  • communications cloud native core network repository function 1.15.1,
  • communications cloud native core network repository function 22.1.2,
  • communications cloud native core network repository function 22.2.0,
  • communications cloud native core network slice selection function 1.8.0,
  • communications cloud native core security edge protection proxy 22.1.1,
  • communications cloud native core service communication proxy 1.15.0,
  • curl,
  • debian linux 10.0,
  • debian linux 11.0,
  • debian linux 9.0,
  • fedora 33,
  • fedora 35,
  • h300e firmware -,
  • h300s firmware -,
  • h410s firmware -,
  • h500e firmware -,
  • h500s firmware -,
  • h700e firmware -,
  • h700s firmware -,
  • macos,
  • mysql server,
  • peoplesoft enterprise peopletools 8.57,
  • peoplesoft enterprise peopletools 8.58,
  • peoplesoft enterprise peopletools 8.59,
  • sinec infrastructure network services,
  • solidfire baseboard management controller firmware -,
  • universal forwarder,
  • universal forwarder 9.1.0
Technical Analysis