[CURL-CVE-2021-22901] TLS session caching disaster
libcurl can be tricked into using already freed memory when a new TLS session
is negotiated or a client certificate is requested on an existing connection.
For example, this can happen when a TLS server requests a client certificate
on a connection that was established without one. A malicious server can use
this in rare unfortunate circumstances to potentially reach remote code
execution in the client.
OpenSSL can declare a "new session" for different reasons, including the
initial TLS handshake completion, TLS 1.2 (or earlier) renegotiation, or TLS
1.3 client certificate requests. When libcurl at runtime sets up support for
session ID caching on a connection using OpenSSL, it stores pointers to the
transfer in-memory object for later retrieval when OpenSSL considers a new
session to be established.
However, if the connection is used by multiple transfers (like with a reused
HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer
object might be freed before the new session is established on that connection
and then the function accesses a memory buffer that might be freed. When using
that memory, libcurl might even call a function pointer in the object, making
it possible for a remote code execution if the server could somehow manage to
get crafted memory content into the correct place in memory.
| Package | Affected Version |
|---|---|
 pkg:generic/curl
|
>= 7.75.0, < 7.77.0 |
|
pkg:generic/curl
|
= 7.76.1 |
|
pkg:generic/curl
|
= 7.76.0 |
|
pkg:generic/curl
|
= 7.75.0 |
| Package | Fixed Version |
|---|---|
|
pkg:generic/curl
|
= 7.77.0 |
- ID
- CURL-CVE-2021-22901
- Severity
- high
- URL
- https://curl.se/docs/CVE-2021-22901.html
- Published
-
2021-05-26T08:00:00
(3 years ago) - Modified
-
2024-06-07T13:53:51
(3 months ago) - Rights
- The cURL project
- Other Advisories
ALPINE:CVE-2021-22901
ASA-202106-4
FEDORA-2021-eb5b7c53a9
FREEBSD:38A4A043-E937-11EB-9B84-D4C9EF517024
GLSA-202105-36
MS:CVE-2021-22901
SSA:2021-146-01| Source | # ID | Name | URL |
|---|---|---|---|
| cURL Project | CURL-CVE-2021-22901 | Security Advisory |
|
| cURL Project | CURL-CVE-2021-22901 | Security Advisory |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Fixed | pkg:generic/curl | curl | = 7.77.0 | ||||
| Affected | pkg:generic/curl | curl | >= 7.75.0 < 7.77.0 | ||||
| Affected | pkg:generic/curl | curl | = 7.76.1 | ||||
| Affected | pkg:generic/curl | curl | = 7.76.0 | ||||
| Affected | pkg:generic/curl | curl | = 7.75.0 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |