<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=4048960308545126&amp;ev=PageView&amp;noscript=1">

TuxCare - Testing all vulnerabilities so that you don’t have to

Extended Lifecycle Support, CVE-2021-22901, libcurl, CVE-2021-22898, curl

May 27, 2021

Joao Correia

As a part of TuxCare, we make sure that any and all new vulnerabilities are analyzed and tested against all the distributions and products we support. Today, two new vulnerabilities were disclosed that affect the curl/libcurl code, and because this is something we cover with our Extended Lifecycle Support, we ran our tests on this library.

We performed numerous tests and discovered that none of the End-of-Life Linux systems we support are affected by these flaws. So, you can be assured that you are not affected by these vulnerabilities if you are using Centos 6, Oracle Linux 6, CloudLinux 6, or Ubuntu 16, as these are covered by our service.

Libcurl, and by extension curl, the userland software that implements libcurl functionality, is a file transfer tool that supports multiple protocols. It is often bundled with third-party software, even if that presence is not disclosed. Its presence is so ubiquitous that it has even made it off-planet and is currently being used in a rover on Mars, where it is part of the data transfer process for sending images back to Earth. On a more grounded level, it is unknowingly used by end-users every time they open a web page on a browser or an email on their preferred email client.

The two just-disclosed vulnerabilities, CVE-2021-22898 and CVE-2021-22901, affect libcurl in different ways. The first one, in a no longer surprising way, was discovered in 20 year old code, introduced in a code change on March 22, 2001. The second was introduced more recently, in February 2021.

Taking a closer look at CVE-2021-22898, it is a flaw in the way libcurl parses the “CURLOPT_TELNETOPTIONS” variable, exposed by curl as the “-t” command. This flaw could be exploited to permit data exfiltration through specially crafted parameters when connecting to a telnet server.

An easy proof of concept command line looks like this:

 

     curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)

 

There is currently no evidence of the existence of public exploit code. Additionally, because telnet servers are relatively rare today, it would be rather difficult to exploit in the wild.

As for CVE-2021-22901, it affects libcurl (and by extension, curl) when it is compiled with OpenSSL support (or one of its forks, like boringssl or libressl). It is a vulnerability in the way libcurl reuses a connection at a point in time when it could, theoretically, already be disposed of, resulting in a vulnerability commonly referred to as “User After Free”.

A very particular sequence of events have to happen in precisely the right order for this to be triggered, and in a surprisingly interesting way, rather than the server being the vulnerable party, it’s actually the client that can be compromised by a malicious server. 

The exploit could occur in a situation where libcurl is using session ID caching, reusing it for multiple requests, and freeing the connection in between requests.

Both vulnerabilities were found to not affect the curl/libcurl code currently deployed to our Extended Lifecycle Subscribers. As with all vulnerabilities, TuxCare will continue to provide testing and security know-how to ensure your systems are secure.

You can find more information about the risks of running an unsupported End-of-Life Linux distribution here.

 If you are not yet a subscriber of our products, this is a great opportunity to talk to our engineers and find out how TuxCare can handle your system administration tasks and improve your security practices. Learn more about our services here.

Newsletter

Stay in the Loop

Subscribe to our newsletter to get the latest news on live patching technology from TuxCare Team.

Subscribe