Bug 962983 (CVE-2016-0755) - VUL-0: CVE-2016-0755: curl: libcurl NTLM credentials not-checked for proxy connection re-use
Summary: VUL-0: CVE-2016-0755: curl: libcurl NTLM credentials not-checked for proxy co...
Status: RESOLVED FIXED
Alias: CVE-2016-0755
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Deadline: 2016-02-04
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2016-0755:2.1:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-21 12:00 UTC by Johannes Segitz
Modified: 2017-06-16 12:06 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Proposed patch (5.32 KB, patch)
2016-01-21 12:00 UTC, Johannes Segitz 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-21 12:00:27 UTC 
Created attachment 662660 [details]
Proposed patch

NTLM credentials not-checked for proxy connection re-use
========================================================

Project cURL Security Advisory, January 27th 2016 -
[Permalink](http://curl.haxx.se/docs/adv_20160127A.html)

VULNERABILITY
-------------

libcurl will reuse NTLM-authenticated proxy connections without properly
making sure that the connection was authenticated with the same credentials as
set for this transfer.

libcurl maintains a pool of connections after a transfer has completed. The
pool of connections is then gone through when a new transfer is requested and
if there's a live connection available that can be reused, it is preferred
instead of creating a new one.

Since NTLM-based authentication is *connection oriented* instead of *request
oriented* as other HTTP based authentication, it is important that only
connections that have been authenticated with the correct username + password
is reused. This was done properly for server connections already, but libcurl
failed to do it properly for proxy connections using NTLM.

A libcurl application can easily switch user credentials used for a proxy
connection between two requests, and that subsequent transfer then MUST make
libcurl use another connection. libcurl previously failed to do so.

The effects of this flaw, is that the application could be reusing a proxy
connection using the previously used credentials and thus it could be given to
or prevented access from resources that it wasn't intended to.

We are not aware of any exploit of this flaw.

INFO
----

This flaw can also affect the curl command line tool if a similar operation
series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-XXXX-XXXX to this issue.

AFFECTED VERSIONS
-----------------

This flaw is relevant for

- Affected versions: libcurl 7.10.7 to and including 7.46.0
- Not affected versions: libcurl < 7.10.7 and libcurl >= 7.47.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.47.0, libcurl properly verifies the credentials for NTLM proxies
and only reuses a connection if there there is a match.

A patch for this problem that changes the default is available at (this URL
will be changed in the final advisory):

     http://curl.haxx.se/proxy-ntlm-reuse.patch

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.47.0

  B - Apply the patch to your version and rebuild

  C - Avoid NTLM with proxies, or if you use NTLM with proxies, make sure you
      close all the libcurl handles if you ever change proxy credentials so that
      libcurl won't get a change to reuse the wrong connection.

TIME LINE
---------
It was first reported to the curl project on January 13 2016. We contacted
distros@openwall on January 21.

libcurl 7.47.0 was released on January 27 2016, coordinated with the
publication of this advisory.

CREDITS
-------

Reported and patched by Isaac Boukris.
Comment 1 Johannes Segitz 2016-01-21 12:00:54 UTC 
CRD: 2016-01-27
Comment 2 Swamp Workflow Management 2016-01-21 12:34:52 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-02-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62461
Comment 4 Andreas Stieger 2016-01-21 15:18:43 UTC 
It is probably worth mentioning that this is somewhat similar to
CVE-2014-0015 which was the same problem but with non-proxy connections.
http://curl.haxx.se/docs/adv_20140129.html
http://curl.haxx.se/mail/lib-2014-01/0046.html
https://github.com/bagder/curl/commit/8ae35102c43d8d
Comment 7 Andreas Stieger 2016-01-27 12:42:47 UTC 
Is public at http://curl.haxx.se/docs/adv_20160127A.html
Please submit for openSUSE as well.
Comment 8 Bernhard Wiedemann 2016-01-27 15:00:27 UTC 
This is an autogenerated message for OBS integration:
This bug (962983) was mentioned in
https://build.opensuse.org/request/show/356293 Factory / curl
Comment 9 Bernhard Wiedemann 2016-01-27 17:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (962983) was mentioned in
https://build.opensuse.org/request/show/356319 13.2 / curl
Comment 13 Swamp Workflow Management 2016-02-04 18:18:19 UTC 
SUSE-SU-2016:0340-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 934333,936676,962983,962996
CVE References: CVE-2016-0755
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-18.1
SUSE Linux Enterprise Software Development Kit 12 (src):    curl-7.37.0-18.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-18.1
SUSE Linux Enterprise Server 12 (src):    curl-7.37.0-18.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-18.1
SUSE Linux Enterprise Desktop 12 (src):    curl-7.37.0-18.1
Comment 14 Swamp Workflow Management 2016-02-05 17:12:38 UTC 
SUSE-SU-2016:0347-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 926511,962983,962996
CVE References: CVE-2016-0755
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Server 11-SP3 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.46.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    curl-7.19.7-1.46.1
Comment 15 Swamp Workflow Management 2016-02-07 19:11:39 UTC 
openSUSE-SU-2016:0360-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 934333,936676,962983,962996
CVE References: CVE-2016-0755
Sources used:
openSUSE Leap 42.1 (src):    curl-7.37.0-7.1
Comment 16 Swamp Workflow Management 2016-02-07 19:18:55 UTC 
openSUSE-SU-2016:0373-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 962983,962996
CVE References: CVE-2016-0755
Sources used:
openSUSE 13.2 (src):    curl-7.42.1-19.1
Comment 17 Swamp Workflow Management 2016-02-08 13:11:30 UTC 
openSUSE-SU-2016:0376-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 962983,962996
CVE References: CVE-2016-0755
Sources used:
openSUSE 13.1 (src):    curl-7.42.1-2.50.1
Comment 18 Marcus Meissner 2016-02-10 07:15:20 UTC 
released