Curl Vulnerability Exposes User Credentials in Redirects

A recently discovered vulnerability in the popular curl command line tool and library, tracked as CVE-2024-11053 and assigned a CVSS score of 9.1, could lead to the unintended exposure of user credentials. The vulnerability arises from the interaction between the use of .netrc files for storing credentials and curl’s handling of HTTP redirects.

Under specific circumstances, when curl is configured to use a .netrc file and follow redirects, it may inadvertently leak the password intended for the initial host to the redirected host. This occurs if the .netrc file contains an entry for the redirect target hostname but omits the password or both the login and password.

Example:

Consider a scenario where a curl transfer to a.tld redirects to b.tld. The .netrc file has an entry for a.tld with the password and an entry for b.tld without a password. In this case, curl would incorrectly use the password for a.tld in the subsequent transfer to b.tld, potentially exposing it to the redirected host.

Affected Versions:

The vulnerability affects curl versions 6.5 to 8.11.0. Versions prior to 6.5 and 8.11.1 and later are not affected.

Solution:

The issue has been addressed in curl version 8.11.1. Users are strongly advised to upgrade to this version or apply the provided patch and rebuild curl. As a workaround, avoid using .netrc files together with redirects.

Impact:

This vulnerability poses a significant risk as curl and libcurl are widely used by many applications, often without explicit mention. The potential exposure of credentials could lead to unauthorized access and compromise of sensitive information.

Recommendations:

• Upgrade curl and libcurl to version 8.11.1 immediately.
• If upgrading is not possible, apply the patch and rebuild curl.
• As a temporary mitigation, disable the use of .netrc files in conjunction with redirects.

Update:

CISA took CVE-2024-11053 from 9.1 down to 3.4.

Related Posts: