CVE-2022-42916: Security Vulnerability in Curl, HSTS Check Bypassed to Use HTTP Instead of HTTPS

The recent vulnerability (CVE-2022-42916), affecting the curl version before 7.86., allows the HSTS check to be bypassed, leading to the use of HTTP even when HTTPS is available. In this post, we'll explore the nature of this security flaw, discuss the implications, and provide some guidance on how to mitigate the vulnerability.

Understanding CVE-2022-42916

Curl uses HSTS (HTTP Strict Transport Security) support to force the usage of HTTPS instead of the insecure HTTP protocol. When a URL is provided with HTTP, curl can still resort to using HTTPS if HSTS is enabled. However, for versions earlier than 7.86., this functionality can be bypassed if the host name in the given URL contains special IDN (Internationalized Domain Name) characters that need to be replaced with their ASCII counterparts.

For instance, by using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E, i.e., "."), an attacker can bypass the HSTS mechanism and force curl to use HTTP, potentially exposing sensitive information to third parties.

The earliest affected version of curl is 7.77., released on May 26, 2021. To check the version of curl currently being used, simply run the following command in a terminal or command prompt: curl --version.

Here is a simple code snippet showcasing the issue

# The attacker's malicious URL
URL="http://example。com"; # Note the use of U+3002 instead of U+002E

# Normal cURL with HSTS enforcement
curl --hsts "${URL}"

# cURL vulnerable to CVE-2022-42916
curl --hsts --idn "${URL}"

Official References

You can find more information about the vulnerability and the release notes for curl 7.86. in the following links:

- CVE-2022-42916: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42916
- Curl Release Notes: https://curl.haxx.se/changes.html

To protect against this vulnerability, follow these steps

- Update to the latest version of curl: It's always recommended to use the latest version of software to ensure security patches are applied. Upgrade to curl 7.86. or later to fix the CVE-2022-42916 vulnerability.
- Avoid using URLs with non-ASCII characters: To be safe, stick to URLs with standard ASCII characters. This will help minimize the risk of IDN-related issues including CVE-2022-42916.
- Enable HTTPS by default: Whenever possible, configure your applications to use HTTPS by default, reducing reliance on HSTS to enforce secure connections.

In conclusion, while CVE-2022-42916 represents a significant risk in the curl ecosystem, users can protect their systems and privacy by updating to the latest version and following best security practices. Stay vigilant and always update your software to the latest available versions to guard against potential vulnerabilities.

Timeline

Published on: 10/29/2022 02:15:00 UTC
Last modified on: 11/14/2022 15:16:00 UTC