Miggo Logo

CVE-2021-22947: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using...

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.31465%
Published
5/24/2022
Updated
4/7/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2021-22947) in curl allowed a Man-In-The-Middle (MITM) attacker to inject responses during STARTTLS negotiation for IMAP, POP3, SMTP, and FTP. Curl would cache these responses before the TLS handshake and then trust them after the handshake, as if they were authenticated. The fix, identified in commit 8ef147c43646e91, involves adding a check in the respective protocol state machines (ftp_statemachine, imap_state_starttls_resp, pop3_state_starttls_resp, smtp_state_starttls_resp). This check verifies if there's any data in the protocol's pingpong cache (pp->cache_size) after receiving the STARTTLS response. If cached data exists, it indicates a pipelined response from before the TLS upgrade, and curl now returns an error (CURLE_WEIRD_SERVER_REPLY), effectively flushing or ignoring these untrusted, cached responses. The vulnerable functions are these state handlers that, prior to the patch, would have processed these cached responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *url >= *.**.* *n* <= *.**.* *onn**ts to *n IM*P or POP* s*rv*r to r*tri*v* **t* usin* ST*RTTLS to up*r*** to TLS s**urity, t** s*rv*r **n r*spon* *n* s*n* ***k multipl* r*spons*s *t on** t**t *url *****s. *url woul* t**n up*r*** to TLS *ut not

Reasoning

T** vuln*r**ility (*V*-****-*****) in *url *llow** * M*n-In-T**-Mi**l* (MITM) *tt**k*r to inj**t r*spons*s *urin* ST*RTTLS n**oti*tion *or IM*P, POP*, SMTP, *n* *TP. *url woul* ***** t**s* r*spons*s ***or* t** TLS **n*s**k* *n* t**n trust t**m **t*r