External risk intelligence

Attacker can trick services using curl into sending the wrong client certificate

CVE advisorySeverity: HIGH (CVSS 7.5)

CVE-2021-22926

A flaw in libcurl on macOS could allow applications to use incorrect client certificates during secure connections, potentially exposing sensitive data. This issue is relevant now due to the widespread use of libcurl in many applications.

3Halo Surface Signal

Haxx Curl

7.33.0 to before 7.78.05.7.0 to 5.7.358.0.0 to 8.0.268.578.588.59before 1.0.1.18.2.0 to before 8.2.129.0.0 to before 9.0.69.1.0

External exposure likelihood

Halo Surface Signal score for CVE-2021-22926

The vulnerability exists in libcurl, a general-purpose library used in a vast range of software, including internet-facing applications, management tools, and backend services. While the specific attack scenario requires a local malicious user to influence the application's working directory, the library itself is commonly used in network-connected contexts where such triggers might be reachable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue affects applications using the `libcurl` library when configured with macOS's native TLS. It could trick these applications into using an unintended client certificate during secure connections, potentially exposing sensitive information or allowing unauthorized access. Pay attention because this could impact various applications that rely on `libcurl` for secure network communications.

  • Sensitive certificate details can be exposed.
  • Can lead to incorrect client authentication.
  • Affects applications using `libcurl` on macOS.

Attack Path

How an attacker could exploit the issue

An attacker could trick an application using libcurl on macOS into using a malicious client certificate instead of the intended one. This occurs when the application's working directory is writable by others, allowing the attacker to create a file with the same name as the certificate the application expects to use by name, causing libcurl to use the file-based certificate.

  • Requires local write access.
  • Targets libcurl on macOS.
  • Vulnerable if app runs in writable directory.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this CVE less appealing due to the requirement for a local attacker to manipulate the working directory. However, libcurl is a widely used library, potentially exposing many applications. The vulnerability could allow an attacker to trick an application into using a client certificate they control, potentially enabling unauthorized access or impersonation.

  • Local prerequisite exists.
  • No known exploit in the wild.
  • Published over two years ago.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and isolating affected systems by analyzing logs for suspicious client certificate requests, especially from `/tmp` or other world-writable directories. Given the potential for attackers to trick applications into using malicious client certificates, it is crucial to block any network traffic exhibiting unusual certificate handshake behavior.

  • Update libcurl to version 7.78.0 or later.
  • Implement strict file permission checks on working directories.
  • Monitor for anomalous TLS handshake certificate usage.

Frequently asked questions

What is the primary function of libcurl that is exploited in CVE-2021-22926?

The vulnerability exploits libcurl's ability to request a specific client certificate using the `CURLOPT_SSLCERT` option. When libcurl is built with macOS's Secure Transport, it can mistakenly use a file-based certificate if a file with the same name as a certificate's identifier exists in a writable working directory, instead of the intended certificate referenced by name.

How does the weakness in CVE-2021-22926 allow for a bypass of security controls?

The weakness, classified as Improper Certificate Validation (CWE-295) and related to Improper Certificate Handling (CWE-840), allows an attacker to trick an application into using an imposter client certificate. This occurs when a malicious file is placed in a shared directory, causing libcurl to use that file instead of the legitimate certificate during the TLS handshake, potentially leading to unauthorized access or impersonation.

What specific conditions must be met for an attacker to exploit CVE-2021-22926?

Exploitation requires the application using libcurl to be built with the macOS Secure Transport library, and for the application to run with a current working directory that is writable by other users, such as `/tmp`. A malicious user must then create a file in this directory with the same name as the client certificate identifier the application intends to use.

What is the relevance of CVE-2021-22926, given its requirements and the current threat landscape?

Although the vulnerability requires local access to manipulate the working directory, libcurl is a widely used library in many applications, including those that are internet-facing. While there are no known exploits in the wild, the potential impact of a successful attack, which could involve impersonation or unauthorized access, makes it a notable concern, especially for systems relying on certificate-based authentication.

What are the recommended actions to mitigate the risk posed by CVE-2021-22926?

To mitigate this vulnerability, it is recommended to update libcurl to version 7.78.0 or later. Additionally, organizations should implement strict file permission checks on application working directories and monitor network traffic for anomalous TLS handshake certificate usage to detect and block potential exploitation attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified