A malicious server can use the `PASV` response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user (which by all means is an unwise setup), a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack.
Flaw summary: The flaw is caused via the fact that by default, Extended Passive Mode (EPSV) FTP connections fallback to Passive Mode (PASV) in the event that EPSV is not supported. In PASV mode, the server replies to the FTP client with an IPv4 address and port[1], to which it should connect. In EPSV, only a port number is sent[2], hence the implementation of PASV is where the flaw lies. This flaw involves a malicious server sending a malicious IP in a PASV response, causing the FTP client (curl in this case), to connect to the malicious IP. The patch addresses this by skipping (not acting upon) the IPv4 address provided by the server in PASV mode by default as of curl 7.74.0. The attack complexity for this is relatively high because the following constraints must be satisfied that may not be under attacker control: A) A client attempts to connect to a malicious FTP server using curl B) The client has not used `--ftp-skip-pasv-ip` or `CURLOPT_FTP_SKIP_PASV_IP` C) The client is using a build of curl with FTP enabled Additionally, such an attack would likely disclose some useful information to attackers as mentioned in Comment#0, but not full compromise of confidentiality. 1. https://tools.ietf.org/html/rfc1123#page-31 2. https://tools.ietf.org/html/rfc2428
External References: https://curl.se/docs/CVE-2020-8284.html
Mitigation: This flaw can be mitigated in curl as shipped with Red Hat Enterprise Linux and Red Hat Software Collections when using curl by passing the `--ftp-skip-pasv-ip` command line option to curl. For usage of libcurl, set `CURLOPT_FTP_SKIP_PASV_IP` to `1L`[1]. Note that these mitigations could cause problems in the uncommon instance that the server needs the client to connect back to an IP other than the control connection IP address. 1. https://curl.se/libcurl/c/CURLOPT_FTP_SKIP_PASV_IP.html
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1906113] Created flickcurl tracking bugs for this issue: Affects: epel-7 [bug 1906111] Affects: fedora-all [bug 1906109] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1906115]
Acknowledgments: Name: Varnavas Papaioannou
Upstream commit: https://github.com/curl/curl/commit/ec9cc725d598ac It changes the defaults to enable CURLOPT_FTP_SKIP_PASV_IP / --ftp-skip-pasv-ip by default.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8284
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472