Attacker Value
Moderate
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2021-22947

Disclosure Date: September 29, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got before the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker’s injected data comes from the TLS-protected server.

Add Assessment

2
Ratings
Technical Analysis

Original report for this vulnerability can be found at https://curl.se/docs/CVE-2021-22947.html

This vulnerability affects curl 7.20.0 to 7.78.0 inclusive, and occurs due to the commit made at https://github.com/curl/curl/commit/ec3bb8f727405.

The bug occurs as when curl connects to a IMAP, POP3, SMTP, or FTP server using STARTTLS to upgrade the connection to a TLS connection. In these scenarios the server can send multiple responses prior to the TLS upgrade, which are then cached by curl.

Unfortunately, when upgrading to TLS, curl would not flush this queue of cached responses and instead would treat these responses as part of the TLS handshake themselves as if they were authenticated.

Attackers could use this to inject fake response data via a man in the middle (MITM) attack when the connection uses POP3 or IMAP as noted by the curl developers.

It is interesting to note that this bug was disclosed via HackerOne in September 2021 but was only fixed by Microsoft in January 2021 as noted at https://www.zerodayinitiative.com/blog/2022/1/11/the-january-2022-security-update-review, meaning there was at least a 3 month gap between the bug being public knowledge and it being fixed.

As for the exploitability of this bug, it is fairly low due to the need to be able to conduct a MITM attack against a target user. Additionally using implicit TLS instead of using STARTTLS negates this issue so attackers would have to find a connection specifically using STARTTLS.

It should be noted though that may applications use libcurl, the affected library, even if they don’t explicitly advertise it, so there is a good possibility that a fair number of apps on Windows would use this in some manner.

As a final note, its not directly clear to me why Microsoft rates this as a RCE bug but I imagine they likely found a connection between an attacker MITM’ing a specific connection for one of their apps and forging a fake response that can then be used to trigger some form of RCE. No details are provided on which app this might be though, so the specifics of this remain to be seen.

CVSS V3 Severity and Metrics
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None

General Information

Products

  • https://github.com/curl/curl
Technical Analysis