Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 24 Jun 2019 07:46:14 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...l.haxx.se>,
        curl-announce@...l.haxx.se,
        libcurl hacking <curl-library@...l.haxx.se>,
        oss-security@...ts.openwall.com
Subject: curl: Windows OpenSSL engine code injection

Windows OpenSSL engine code injection
=====================================

Project curl Security Advisory, June 24th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-5443.html)

VULNERABILITY
-------------

A non-privileged user or program can put code and a config file in a known
non-privileged path (under `C:/usr/local/`) that will make curl automatically
run the code (as an openssl "engine") on invocation. If that curl is invoked
by a privileged user it can do anything it wants.

This flaw exists in the official curl-for-windows binaries built and hosted by
the curl project (all versions up to and including 7.65.1_1). It **does not**
exist in the curl executable shipped by Microsoft, bundled with Windows 10. It
possibly exists in other curl builds for Windows too that uses OpenSSL.

The curl project has provided official curl executable builds for Windows
since [late August
2018](https://daniel.haxx.se/blog/2018/08/27/blessed-curl-builds-for-windows/).

There exists proof of concept exploits of this flaw.

INFO
----

This bug sneaked in partly due to insecure default build options in OpenSSL
when built cross-compiled and partly due to a misleading commit message in the
curl commit that made it possible to disable this feature.

This bug does not exist in the curl or libcurl source code but in the scripts
for the Windows build.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-5443 to this issue.

CWE-94: Code Injection

Severity: High

AFFECTED VERSIONS
-----------------

- Affected versions: all curl-for-windows downloads before **7.65.1_2**.

THE SOLUTION
------------

Replace your downloaded curl version on Windows with the updated download
package from the [curl site](https://curl.haxx.se/windows/).

The build fix for curl-for-win correcting this flaw is in [this
commit](https://github.com/curl/curl-for-win/commit/51b658a76594942cf1d6f227d8fc4732bb8ec277). It
completely disables curl's ability to load an OpenSSL config when invoked.

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade to a fixed curl executable

  B - Remove curl executable downloaded from curl.haxx.se and instead use the
      one shipped by Microsoft in Windows 10

TIMELINE
--------

The issue was reported to the curl project on June 12, 2019. The fix was done,
verified and communicated with the reporter on June 12, 2019.

While planning the release schedule of this advisory and coordinating with
other affected projects, we discovered that this exact flaw had already been
published and discussed in public before we were informed about it. A few
other OpenSSL-using projects on Windows also had already fixed their builds
for this exact problem. Realizing this, we switched gears and decided to
publish as soon as possible to minimize user impact.

curl 7.65.1_2 for Windows was uploaded and made available on June 21 2019 -
the older, vulnerable builds, were removed from the site at the same time.

This advisory was posted on June 24th 2019.

CREDITS
-------

Reported by Rich Mirch. OpenSSL patch by Viktor Szakats.

Thanks a lot!

-- 

  / daniel.haxx.se | Get the best commercial curl support there is - from me
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.