Cybersecurity specialists reported the detection of at least five critical vulnerabilities in cURL, a software project consisting of a library and a file transfer-oriented shell. According to the report, successful exploitation of these flaws would allow access to confidential information.
Below are brief descriptions of the flaws detected, in addition to their respective tracking keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-22923: Insufficient credential protection in the affected application allows remote threat actors to gain access to sensitive information stored on the affected system.
The flaw received a CVSS score of 6.5/10 and its successful exploitation would allow threat actors to compromise the target system completely.
CVE-2021-22924: Some errors in logic were detected when the configuration matching function does not consider the “issuer certificate”, comparing the paths involved without case sensitivity.
The vulnerability received a score of 4.6/10 and its successful exploitation would allow remote hackers to gain access to sensitive information on the target system.
CVE-2021-22926: A bug in combining the CURLOPT_SSLCERT option with the secure transport of the TLS library would allow remote threat actors to create a file name with the same name that the application wants to use, tricking the target application into using the file-based certificate and forcing libcurl to send incorrect certificates in the TLS handshake process.
This flaw received a CVSS score of 5.7/10 and its successful exploitation could result in the total compromise of the affected system.
CVE-2021-22925: Using an uninitialized variable in compromised code would allow remote threat actors to force an arbitrary connection between the affected application and a malicious server, allowing hackers to read fragments of uninitialized memory on the libcurl client system.
This is a medium severity flaw that received a CVSS score of 4.1/10.
CVE-2021-22922: Insufficient validation of user-provided XML input would allow a remote attacker to pass specially crafted XML to the affected application and view the contents of arbitrary files on the system.
The flaw received a CVSS score of 4.6/10 and its successful exploitation would allow hackers to completely compromise the affected systems.
All reported flaws reside in the following versions of cURL: 7.7.1, 7.7.2, 7.7.3, 7.27.0, 7.28.0, 7.28.1, 7.29.0, 7.30.0, 7.31.0, 7.32.0, 7.33.0, 7.34.0, 7.35.0, 7.36.0, 7.37.0, 7.37.1, 7.38.0, 7.39.0, 7.40.0, 7.41.0, 7.42.0, 7.42.1, 7.43.0, 7.44.0, 7.45.0, 7.46.0, 7.47.0, 7.47.1, 7.48.0, 7.49.0, 7.49.1, 7.50.0, 7.50.1, 7.50.2, 7.50.3, 7.51.0, 7.52.0, 7.52.1, 7.53.0, 7.53.1, 7.54.0, 7.54.1, 7.55.0, 7.55.1, 7.56.0, 7.56.1, 7.57.0, 7.58.0, 7.59.0, 7.60.0, 7.61.0, 7.61.1, 7.62.0, 7.63.0, 7.64.0, 7.64.1, 7.65.0, 7.65.1, 7.65.2, 7.65.3, 7.66.0, 7.67.0, 7.68.0, 7.69.0, 7.69.1, 7.70.0, 7.71.0, 7.71.1, 7.72.0, 7.73.0, 7.74.0, 7.75.0, 7.76.0, 7.76.1 and 7.77.0.
The flaws could be exploited by unauthenticated threat actors, although so far no exploit attempts have been detected in real scenarios or the existence of a malware variant associated with the attack.
Security patches are now available, so users of affected deployments are encouraged to update as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.