Recently, a vulnerability with the identifier CVE-2022-27781 was discovered in the popular data transfer library, libcurl. Libcurl provides the CURLOPT_CERTINFO option to allow applications to request details about a server's certificate chain. However, an erroneous function in libcurl built with NSS (Network Security Services) has been found to enable a malicious server to cause libcurl to become stuck in a never-ending busy-loop when trying to retrieve this information. This flaw poses a significant threat as it could expose users to potential denial of service (DoS) attacks.

This post will discuss in detail the exploit, its associated risk, and potential mitigation strategies. We will also examine the code snippet where the issue occurs and provide links to further sources of information.

Exploit Details

The vulnerability lies in the way libcurl handles the CURLOPT_CERTINFO option when built with NSS. An incorrect function is used, and as a result, a malicious server can manipulate libcurl into an infinite loop, rendering the application using libcurl unresponsive and consuming system resources.

Here is a snippet of the problematic code from libcurl

while((cert = PK11_FindCertFromNickname((char *)"*", slot))) {
  ...
}

The issue lies within the while loop - the PK11_FindCertFromNickname function is called, which is the incorrect function to use for this situation. This function continuously searches for certificates that match the wildcard ("*"), but never moves through the certificate chain to collect their details when processing a malicious server's response. This causes libcurl to get stuck in an infinite busy-loop.

More information about the affected function can be found in the official NSS documentation

- PK11_FindCertFromNickname

Affected Versions

All versions of libcurl built with NSS up to and including 7.79. are affected by this vulnerability.

Potential Risks

The primary risk associated with this vulnerability is that an application utilizing libcurl built with NSS could become unresponsive when connecting to a malicious server that exploits this flaw. This could potentially lead to denial of service attacks targeting a large number of users, as libcurl is widely used across various software applications and platforms.

Additionally, the exploitation could lead to exhaustion of system resources, further degrading performance and potentially causing other applications on the system to crash or become unresponsive.

To protect your applications from this vulnerability, there are several steps you can take

1. Update your version of libcurl, as the issue has been resolved in libcurl version 7.79.1 or later, which uses the correct function when built with NSS.
2. Alternatively, consider using a different SSL library, such as OpenSSL or GnuTLS, when building libcurl. The vulnerability is only present in libcurl built with NSS.
3. Exercise caution when using the CURLOPT_CERTINFO option in your applications and consider other security measures, such as validating server certificates against a trusted certificate authority before making connections.

Conclusion and Further Reading

CVE-2022-27781 is a critical vulnerability that could expose users to denial of service attacks due to an erroneous function in libcurl built with NSS. To prevent exploitation, update your version of libcurl to 7.79.1 or later, or consider using an alternative SSL library when building libcurl.

For more information about this vulnerability, consult the following resources

- Official libcurl Security Advisory
- National Vulnerability Database Entry

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 08/29/2022 01:15:00 UTC