Bug 1902667 (CVE-2020-8284) - CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to arbitrary host
Summary: CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to ar...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8284
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1905121 1905122 1906115 1902875 1902876 1905120 1906109 1906111 1906113
Blocks: 1902669
TreeView+ depends on / blocked
 
Reported: 2020-11-30 10:54 UTC by Marian Rehak
Modified: 2021-07-09 15:43 UTC (History)
41 users (show)

See Also:
Fixed In Version: curl 7.74.0
Doc Type: If docs needed, set a value
Doc Text:
A malicious server can use the `PASV` response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user, a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack.
Clone Of:
Environment:
Last Closed: 2021-05-18 20:37:25 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2471 0 None None None 2021-06-17 11:35:40 UTC
Red Hat Product Errata RHSA-2021:2472 0 None None None 2021-06-17 11:45:13 UTC

Description Marian Rehak 2020-11-30 10:54:24 UTC
A malicious server can use the `PASV` response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user (which by all means is an unwise setup), a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack.

Comment 3 Todd Cullum 2020-11-30 21:41:44 UTC
Flaw summary:

The flaw is caused via the fact that by default, Extended Passive Mode (EPSV) FTP connections fallback to Passive Mode (PASV) in the event that EPSV is not supported. In PASV mode, the server replies to the FTP client with an IPv4 address and port[1], to which it should connect. In EPSV, only a port number is sent[2], hence the implementation of PASV is where the flaw lies. This flaw involves a malicious server sending a malicious IP in a PASV response, causing the FTP client (curl in this case), to connect to the malicious IP. The patch addresses this by skipping (not acting upon) the IPv4 address provided by the server in PASV mode by default as of curl 7.74.0.

The attack complexity for this is relatively high because the following constraints must be satisfied that may not be under attacker control:

A) A client attempts to connect to a malicious FTP server using curl
B) The client has not used `--ftp-skip-pasv-ip` or `CURLOPT_FTP_SKIP_PASV_IP`
C) The client is using a build of curl with FTP enabled

Additionally, such an attack would likely disclose some useful information to attackers as mentioned in Comment#0, but not full compromise of confidentiality.

1. https://tools.ietf.org/html/rfc1123#page-31
2. https://tools.ietf.org/html/rfc2428

Comment 6 Todd Cullum 2020-11-30 21:58:37 UTC
External References:

https://curl.se/docs/CVE-2020-8284.html

Comment 7 Todd Cullum 2020-11-30 22:30:43 UTC
Mitigation:

This flaw can be mitigated in curl as shipped with Red Hat Enterprise Linux and Red Hat Software Collections when using curl by passing the `--ftp-skip-pasv-ip` command line option to curl. For usage of libcurl, set `CURLOPT_FTP_SKIP_PASV_IP` to `1L`[1]. Note that these mitigations could cause problems in the uncommon instance that the server needs the client to connect back to an IP other than the control connection IP address.

1. https://curl.se/libcurl/c/CURLOPT_FTP_SKIP_PASV_IP.html

Comment 12 Guilherme de Almeida Suckevicz 2020-12-09 17:18:59 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1906113]


Created flickcurl tracking bugs for this issue:

Affects: epel-7 [bug 1906111]
Affects: fedora-all [bug 1906109]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1906115]

Comment 13 Todd Cullum 2020-12-09 18:50:42 UTC
Acknowledgments:

Name: Varnavas Papaioannou

Comment 14 Tomas Hoger 2021-04-07 08:02:20 UTC
Upstream commit:

https://github.com/curl/curl/commit/ec9cc725d598ac

It changes the defaults to enable CURLOPT_FTP_SKIP_PASV_IP / --ftp-skip-pasv-ip by default.

Comment 15 errata-xmlrpc 2021-05-18 13:40:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610

Comment 16 Product Security DevOps Team 2021-05-18 20:37:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8284

Comment 17 errata-xmlrpc 2021-06-17 11:35:32 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471

Comment 18 errata-xmlrpc 2021-06-17 11:45:01 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472


Note You need to log in before you can comment on or make changes to this bug.