From 5734f84bcce260715edd65c58d72c5eaad095bee Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 11 Dec 2024 08:10:15 +0100 Subject: [PATCH] CVE-2024-11053: netrc and redirect credential leak --- docs/CVE-2024-11053.md | 90 ++++++++++++++++++++++++++++++++++++++++++ docs/Makefile | 3 +- docs/vuln.pm | 1 + 3 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 docs/CVE-2024-11053.md diff --git a/docs/CVE-2024-11053.md b/docs/CVE-2024-11053.md new file mode 100644 index 0000000000..bc766ad846 --- /dev/null +++ b/docs/CVE-2024-11053.md @@ -0,0 +1,90 @@ +netrc and redirect credential leak +================================== + +Project curl Security Advisory, December 11th 2024 - +[Permalink](https://curl.se/docs/CVE-2024-11053.html) + +VULNERABILITY +------------- + +When asked to both use a `.netrc` file for credentials and to follow HTTP +redirects, curl could leak the password used for the first host to the +followed-to host under certain circumstances. + +This flaw only manifests itself if the netrc file has an entry that matches +the redirect target hostname but the entry either omits just the password or +omits both login and password. + +INFO +---- + +A curl transfer with `a.tld` that redirects to `b.tld` that uses a `.netrc` +like below (with a match, but no password specified for the second host), +would make curl pass on `alicespassword` as password even in the second +transfer to the separate host `b.tld`. + +~~~ +machine a.tld + login alice + password alicespassword + +default + login bob +~~~ + +This bug is **not** considered a *C mistake*. It is not likely to have been +avoided had we not been using C. + +This flaw also affects the curl command line tool. + +The Common Vulnerabilities and Exposures (CVE) project has assigned the name +CVE-2024-11053 to this issue. + +CWE-200: Exposure of Sensitive Information to an Unauthorized Actor + +Severity: Low + +AFFECTED VERSIONS +----------------- + +- Affected versions: curl 6.5 to and including 8.11.0 +- Not affected versions: curl < 6.5 and >= 8.11.1 +- Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d514 + +libcurl is used by many applications, but not always advertised as such! + +SOLUTION +------------ + +- Fixed-in: https://github.com/curl/curl/commit/e9b9bbac22c26cf6731 + +The fix also addresses a few other .netrc related issues. + +RECOMMENDATIONS +--------------- + +We suggest you take one of the following actions immediately, in order of +preference: + + A - Upgrade curl and libcurl to version 8.11.1 + + B - Apply the patch to your version and rebuild + + C - Avoid using netrc together with redirects + +TIMELINE +--------- + +This issue was reported to the curl project on November 8, 2024. We contacted +distros@openwall on December 3, 2024. + +curl 8.11.1 was released on December 11 2024 around 06:00 UTC, coordinated +with the publication of this advisory. + +CREDITS +------- + +- Reported-by: Harry Sintonen +- Patched-by: Daniel Stenberg + +Thanks a lot! diff --git a/docs/Makefile b/docs/Makefile index 2d6cb1754f..a8405cb8eb 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -179,7 +179,8 @@ CVELIST = \ CVE-2024-6874.html \ CVE-2024-7264.html \ CVE-2024-8096.html \ - CVE-2024-9681.html + CVE-2024-9681.html \ + CVE-2024-11053.html PAGES = \ $(CVELIST) \ diff --git a/docs/vuln.pm b/docs/vuln.pm index c7daa1f88e..1259ce0e1c 100644 --- a/docs/vuln.pm +++ b/docs/vuln.pm @@ -16,6 +16,7 @@ # # List of CWEs => https://cwe.mitre.org/data/definitions/658.html @vuln = ( + "CVE-2024-11053.html|6.5|8.11.0|netrc and redirect credential leak|CVE-2024-11053|20241211|20241108|CWE-200: Exposure of Sensitive Information to an Unauthorized Actor|540|netrc|-|both|low|https://hackerone.com/reports/2829063", "CVE-2024-9681.html|7.74.0|8.10.1|HSTS subdomain overwrites parent cache entry|CVE-2024-9681|20241105|20241007|CWE-1025: Comparison Using Wrong Factors|540|HSTS|-|both|low|https://hackerone.com/reports/2764830", "CVE-2024-8096.html|7.41.0|8.9.1|OCSP stapling bypass with GnuTLS|CVE-2024-8096|20240911|20240819|CWE-295: Improper Certificate Validation|2540|TLS|-|both|medium|https://hackerone.com/reports/2669852", "CVE-2024-7264.html|7.32.0|8.9.0|ASN.1 date parser overread|CVE-2024-7264|20240731|20240730|CWE-125: Out-of-bounds Read|540|ASN1|OVERREAD|both|low|https://hackerone.com/reports/2629968",