QID 352506

Date Published: 2021-08-11

QID 352506: Amazon Linux Security Advisory for curl: ALAS2-2021-1693

A flaw was found in libcurl from versions 7.29.0 through 7.71.1.
An application that performs multiple requests with libcurl's multi api, and sets the `curlopt_connect_only` option, might experience libcurl using the wrong connection.
The highest threat from this vulnerability is to data confidentiality. (
( CVE-2020-8231) a malicious server can use the `pasv` response to trick curl into connecting back to a given ip address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
If curl operates on a url provided by a user, a user can exploit that and pass in a url to a malicious ftp server instance without needing any server breach to perform the attack. (
( CVE-2020-8284) libcurl offers a wildcard matching functionality, which allows a callback (set with `curlopt_chunk_bgn_function`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries.
When this callback returns `curl_chunk_bgn_func_skip`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry.
If there's a sufficient amount of file entries and if the callback returns "skip" enough number of times, libcurl runs out of stack space.
The exact amount will of course vary with platforms, compilers and other environmental factors. (
( CVE-2020-8285) libcurl offers "ocsp stapling" via the curlopt_ssl_verifystatus option.
When set, libcurl verifies the ocsp response that a server responds with as part of the tls handshake.
It then aborts the tls negotiation if something is wrong with the response.
The same feature can be enabled with --cert-status using the curl tool.
As part of the ocsp response verification, a client should verify that the response is indeed set out for the correct certificate.
This step was not performed by libcurl when built or told to use openssl as tls backend. (
( CVE-2020-8286)



Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as Medium - 5 severity.
    • Solution
    Please refer to Amazon advisory: ALAS2-2021-1693 for affected packages and patching details, or update with your package manager.
    Vendor References

    CVEs related to QID 352506

    CVE-2020-8231 | CVE-2020-8286 | CVE-2020-8284 | CVE-2020-8285 |
    Software Advisories
    Advisory ID Software Component Link
    ALAS2-2021-1693 Amazon Linux 2 URL Logo alas.aws.amazon.com/AL2/ALAS-2021-1693.html
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].