Vulnerability CVE-2021-22890

Vulnerability Name:

CVE-2021-22890 (CCN-199188)

Assigned:

2021-03-31

Published:

2021-03-31

Updated:

2022-04-06

Summary:

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

CVSS v3 Severity:

3.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
3.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-290

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-22890

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: CCN
Type: Project curl Security Advisory, March 31st 2021
TLS 1.3 session ticket proxy host mixup

Source: MISC
Type: Patch, Vendor Advisory
https://curl.se/docs/CVE-2021-22890.html

Source: XF
Type: UNKNOWN
curl-cve202122890-mitm(199188)

Source: MISC
Type: Exploit, Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/1129529

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-26a293c72b

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-cab5c9befb

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-065371f385

Source: GENTOO
Type: Third Party Advisory
GLSA-202105-36

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210521-0007/

Source: CCN
Type: IBM Security Bulletin 6471359 (PowerSC)
Vulnerabilities in Curl affect PowerSC (CVE-2021-22876 and CVE-2021-22890)

Source: CCN
Type: IBM Security Bulletin 6479935 (MaaS360)
A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (V2.103.000.051) and Modules

Source: N/A
Type: Third Party Advisory
N/A

Vulnerable Configuration:

Configuration 1:

cpe:/a:haxx:libcurl:*:*:*:*:*:*:*:* (Version >= 7.63.0 and <= 7.75.0)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*

OR cpe:/h:netapp:hci_storage_node:-:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*

Configuration 5:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 6:

cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

Configuration 7:

cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:essbase:21.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:curl:libcurl:7.63.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7476	P	curl-8.0.1-150400.5.23.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3366	P	socat-1.7.2.4-3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94532	P	curl-7.79.1-150400.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95177	P	NetworkManager-applet-1.24.0-150400.2.9 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2902	P	curl-7.79.1-150400.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:38	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:967	P	Security update for python-libxml2-python (Important)	2022-03-10
oval:org.opensuse.security:def:94478	P	(Moderate)	2022-03-04
oval:org.opensuse.security:def:101890	P	Security update for java-1_8_0-ibm (Important)	2022-01-18
oval:org.opensuse.security:def:112133	P	curl-7.79.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105669	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:96783	P	sysvinit-tools-2.88+-1.26 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:100814	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62056	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71797	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101191	P	libgme-devel-0.6.2-1.17 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:111300	P	Security update for curl (Moderate)	2021-04-05
oval:org.opensuse.security:def:100593	P	(Moderate)	2021-04-01
oval:org.opensuse.security:def:66718	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:42056	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:75786	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:107857	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:5629	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:99928	P	(Moderate)	2021-04-01
oval:org.opensuse.security:def:108556	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:117372	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:100263	P	(Moderate)	2021-04-01
oval:org.opensuse.security:def:64455	P	Security update for curl (Moderate)	2021-04-01
oval:org.opensuse.security:def:73577	P	Security update for curl (Moderate)	2021-04-01

BACK