Miggo Logo
Miggo Vulnerability Database
CVE-2021-22901

CVE-2021-22901: curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed...

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-22901
GHSA ID
GHSA-vjwf-ghhc-2p8q
EPSS Score
0.50367%
CWE
CWE-416
Published
5/24/2022
Updated
3/27/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2021-22901 is a use-after-free in curl when handling TLS 1.3 session tickets with OpenSSL. The analysis of the patch commit 7f4a9a9b2a49547eae24d2e19bc5c346e9026479 reveals the following:

  1. The function ossl_connect_step1 in lib/vtls/openssl.c, prior to the patch, was responsible for storing a pointer to the Curl_easy structure (the transfer object, referred to as data) in the SSL context using SSL_set_ex_data. This was done to make the transfer object available to the ossl_new_session_cb callback.
  2. The ossl_new_session_cb function is an OpenSSL callback that gets triggered when a new session ticket arrives. This callback would then use SSL_get_ex_data to retrieve the stored Curl_easy pointer.
  3. The vulnerability occurred if a Curl_easy object was freed (e.g., after a transfer completed) before the ossl_new_session_cb for that SSL session was invoked. In such cases, ossl_new_session_cb would access a dangling pointer, leading to a use-after-free.
  4. The patch mitigates this by: a. Refactoring the logic for associating the Curl_easy data into a new function ossl_associate_connection. b. Introducing a new function ossl_disassociate_connection which is responsible for clearing these stored pointers (setting them to NULL) from the SSL context. c. Modifying Curl_detach_connnection (in lib/multi.c) to call Curl_ssl_detach_conn (which in turn calls ossl_disassociate_connection for OpenSSL backend), ensuring that when a transfer is detached from a connection, the associated pointers in the SSL context are cleared, preventing ossl_new_session_cb from accessing stale data.

Therefore, ossl_connect_step1 (in its pre-patch state) is identified as vulnerable because it set up the conditions for the UAF. ossl_new_session_cb is identified as the function where the UAF would manifest by attempting to use the freed memory. The patch evidence for ossl_connect_step1 is the removal of the direct SSL_set_ex_data calls, and for ossl_new_session_cb it's the explicit mention in comments related to the fix and the purpose of the newly added ossl_disassociate_connection function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*url *.**.* t*rou** *.**.* su***rs *rom * us*-**t*r-*r** vuln*r**ility r*sultin* in *lr***y *r*** m*mory **in* us** w**n * TLS *.* s*ssion ti*k*t *rriv*s ov*r * *onn**tion. * m*li*ious s*rv*r **n us* t*is in r*r* un*ortun*t* *ir*umst*n**s to pot*nti*

Reasoning

T** vuln*r**ility *V*-****-***** is * us*-**t*r-*r** in *url w**n **n*lin* TLS *.* s*ssion ti*k*ts wit* Op*nSSL. T** *n*lysis o* t** p*t** *ommit `****************************************` r*v**ls t** *ollowin*: *. T** *un*tion `ossl_*onn**t_st*p*` i