Bug 1964887 (CVE-2021-22898) - CVE-2021-22898 curl: TELNET stack contents disclosure
Summary: CVE-2021-22898 curl: TELNET stack contents disclosure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22898
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1964913 1964924 1971264 1971265 1971267 1971268 1971269 1971270 1964923 1970905 1970906 1971266
Blocks: 1964912
TreeView+ depends on / blocked
 
Reported: 2021-05-26 09:35 UTC by msiddiqu
Modified: 2021-11-09 22:54 UTC (History)
29 users (show)

Fixed In Version: curl 7.77.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol.
Clone Of:
Environment:
Last Closed: 2021-11-09 22:54:01 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4511 0 None None None 2021-11-09 19:02:43 UTC

Description msiddiqu 2021-05-26 09:35:42 UTC
A vulnerability was found in curl where, due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.

Comment 3 Tomas Hoger 2021-05-26 11:05:58 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1964923]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1964924]

Comment 4 Tomas Hoger 2021-06-10 21:02:41 UTC
This issue can only be triggered when curl is using the telnet protocol.  It also requires that curl is configured (using the -t / --telnet-option command line option for the curl command line tool, or using the libcurl library's CURLOPT_TELNETOPTIONS option) to send NEW_ENV telnet option with long (more than 127 characters) environment variable name or value.  If server requests curl to send environment variables during the telnet connection handshake, a limited amount of curl's stack memory is included in the response sent to the server.  Telnet server can not trigger this flaw without this required curl configuration.  In affected configurations, the leak is triggered by a non-malicious telnet server, it's sufficient to the server to ask client to send environment variables.

Comment 5 Tomas Hoger 2021-06-10 21:03:08 UTC
HackerOne report:

https://hackerone.com/reports/1176461

Comment 9 Michael Johnson 2021-07-09 18:48:08 UTC
@thoger@redhat.com I'm seeing that all of our curl versions are < 7.7. Is this CVE relevant to us.

Comment 10 Tomas Hoger 2021-07-12 08:28:59 UTC
(In reply to Michael Johnson from comment #9)
> I'm seeing that all of our curl versions are < 7.7.

Versions as 7.61.1 (RHEL-8), 7.29.0 (RHEL-7), 7.19.7 (RHEL-6), and 7.15.5 (RHEL-5) are all > 7.7.  Do not confuse 7.7 with 7.70 or 7.77.  7.7 was released back in 2001 - it's really ancient and older versions are not likely to be used anywhere these days.

https://curl.se/changes.html#7_7

Comment 11 errata-xmlrpc 2021-11-09 19:02:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4511 https://access.redhat.com/errata/RHSA-2021:4511

Comment 12 Product Security DevOps Team 2021-11-09 22:53:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22898


Note You need to log in before you can comment on or make changes to this bug.