Miggo Logo

CVE-2021-22897: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a...

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.72382%
Published
5/24/2022
Updated
4/7/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description clearly states that the issue was due to a 'static' variable used to store the selected cipher set in the code for CURLOPT_SSL_CIPHER_LIST when using the Schannel TLS library. The provided commit bbb71507b7bab52002f9b1e0880bed6a32834511 directly addresses this.

  1. File lib/vtls/schannel.c:

    • The function set_ssl_ciphers is modified. The key change is the removal of static ALG_ID algIds[45];. This static variable was the root cause of the vulnerability, as its value would be shared across different sessions/transfers.
    • The function signature of set_ssl_ciphers was changed from set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) to set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, int *algIds). This change allows algIds to be passed per call, rather than relying on a shared static variable.
    • The calling function schannel_connect_step1 was updated to pass BACKEND->algIds to the modified set_ssl_ciphers function.
  2. File lib/vtls/schannel.h:

    • The struct ssl_backend_data was modified to include ALG_ID algIds[NUMOF_CIPHERS];. This ensures that each SSL backend instance has its own storage for cipher IDs, which is then passed to set_ssl_ciphers.

The primary vulnerable function is set_ssl_ciphers because it contained the faulty static variable. The function schannel_connect_step1 is part of the exploitation path as it calls set_ssl_ciphers, but the vulnerability itself (the shared state) resided within set_ssl_ciphers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*url *.**.* t*rou** *.**.* su***rs *rom *xposur* o* **t* *l*m*nt to wron* s*ssion *u* to * mist*k* in t** *o** *or *URLOPT_SSL_*IP**R_LIST w**n li**url is *uilt to us* t** S***nn*l TLS li*r*ry. T** s*l**t** *ip**r s*t w*s stor** in * sin*l* "st*ti*"

Reasoning

T** vuln*r**ility **s*ription *l**rly st*t*s t**t t** issu* w*s *u* to * 'st*ti*' v*ri**l* us** to stor* t** s*l**t** *ip**r s*t in t** *o** *or *URLOPT_SSL_*IP**R_LIST w**n usin* t** S***nn*l TLS li*r*ry. T** provi*** *ommit `***********************