Bugzilla – Bug 927556
VUL-0: CVE-2015-3143: curl: Re-using authenticated connection when unauthenticated
Last modified: 2017-06-16 12:06:20 UTC
CVE-2015-3143
bugbot adjusting priority
Created attachment 631531 [details] CVE-2015-3143.patch CVE-2015-3143.patch
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-05-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61571
This is an autogenerated message for OBS integration: This bug (927556) was mentioned in https://build.opensuse.org/request/show/298499 13.2+13.1 / curl
Public via http://curl.haxx.se/docs/adv_20150422A.html Re-using authenticated connection when unauthenticated ====================================================== Project cURL Security Advisory, April 22nd 2015 - [Permalink](http://curl.haxx.se/docs/adv_20150422A.html) VULNERABILITY ------------- libcurl keeps a pool of its last few connections around after use to fascilitate easy, conventient and completely transparent connection re-use for applications. When doing HTTP requests NTLM authenticated, the entire connnection becomes authenticated and not just the specific HTTP request which is otherwise how HTTP works. This makes NTLM special and a subject for special treatment in the code. With NTLM, once the connection is authenticated, no further authentication is necessary until the connection gets closed. libcurl's connection re-use logic will select an existing connection for re-use when asked to do a request, and when asked to use NTLM libcurl have to pick a connection with matching credentials only. If a connection was first setup and used for an NTLM HTTP request with a specific set of credentials, that same connection could later wrongly get re-used in a subsequent HTTP request that was made to the same host - but without having any credentials set! Since an NTLM connection was already authenticated due to how NTLM works, the subsequent request could then get sent over the wrong connection appearing as the initial user. This problem is very similar to the previous problem known as [CVE-2014-0015](http://curl.haxx.se/docs/adv_20140129.html). The main difference this time is that the subsequent request that wrongly re-use a connection doesn't ask for NTLM authentication. We are not aware of any exploits of this flaw. INFO ---- This flaw can also affect the curl command line tool if a similar operation series is made with that. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3143 to this issue. AFFECTED VERSIONS ----------------- - Affected versions: from libcurl 7.10.6 to and including 7.41.0 - Not affected versions: libcurl >= 7.42.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ libcurl 7.42.0 makes sure that a connection that is re-used also have to have a matching set of credentials if it would re-use a connection already using NTLM. A patch for this problem is available at: http://curl.haxx.se/CVE-2015-3143.patch RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 7.42.0 B - Apply the patch and rebuild libcurl C - Avoid using NTLM with libcurl TIME LINE --------- It was first reported to the curl project on February 24 2015. We contacted distros@openwall on April 16th. libcurl 7.42.0 was released on April 22nd 2015, coordinated with the publication of this advisory. CREDITS ------- Reported by Paras Sethia Thanks a lot!
openSUSE-SU-2015:0799-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 927556,927607,927608,927746 CVE References: CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148 Sources used: openSUSE 13.2 (src): curl-7.42.0-7.1 openSUSE 13.1 (src): curl-7.42.0-2.38.1
Hello SUSE, ... is there an outlook when this update will be available on the maintweb for SLES 11 SP3 ...? I got this question from the field ... please advise. Thanks for your support.
(In reply to Hanns-Joachim Uhl from comment #17) > Hello SUSE, > ... is there an outlook when this update will be available > on the maintweb for SLES 11 SP3 ...? > I got this question from the field ... please advise. > Thanks for your support. QA currently estimated to complete on 28th.
SUSE-SU-2015:0962-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 927174,927556,927746,928533 CVE References: CVE-2015-3143,CVE-2015-3148,CVE-2015-3153 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): curl-7.19.7-1.42.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): curl-7.19.7-1.42.1 SUSE Linux Enterprise Server 11 SP3 (src): curl-7.19.7-1.42.1 SUSE Linux Enterprise Desktop 11 SP3 (src): curl-7.19.7-1.42.1
SUSE-SU-2015:0990-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 927556,927607,927608,927746,928533 CVE References: CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): curl-7.37.0-15.1 SUSE Linux Enterprise Server 12 (src): curl-7.37.0-15.1 SUSE Linux Enterprise Desktop 12 (src): curl-7.37.0-15.1
was released