A recently discovered vulnerability, tracked as CVE-2023-23914, exists in curl versions below 7.88., leading to the potential disclosure of sensitive information. This vulnerability specifically relates to the ability for curl clients to bypass HSTS (HTTP Strict Transport Security) rules when making requests to multiple URLs on a single command line sequence, due to improper state management.

Details

HTTP Strict Transport Security (HSTS) is an essential security feature that helps protect clients against man-in-the-middle attacks by instructing the client to only use HTTPS connections for subsequent requests. With the affected curl versions, however, the HSTS mechanism surprisingly failed when multiple URLs are requested serially on the same command line, causing the client to use an insecure clear-text HTTP connection instead of HTTPS.

The root cause of this issue is the improper state management of the HSTS support in curl. When requesting multiple URLs in a single command line sequence, the HSTS state is expected to be properly carried on from one request to the next, enabling the client to automatically switch to HTTPS connections as needed. Unfortunately, with the affected curl versions, the HSTS state did not persist, leaving the connection vulnerable to potential attacks.

Here's a sample curl command that demonstrates the vulnerability

curl --hsts <hsts_file> "http://example.com"; "http://vulnerable.example";

In this example, even if the first request to "http://example.com" is successfully utilizing HSTS and upgrading the connection to HTTPS, the subsequent request to "http://vulnerable.example" would still use an insecure clear-text HTTP connection, ignoring the HSTS mechanism.

Exploit

Potential attackers who can intercept and manipulate network traffic between the curl client and an affected server could exploit this vulnerability by performing a man-in-the-middle attack. By intercepting the insecurely transmitted data, the attacker could gain access to sensitive information such as login credentials, session tokens, or user data.

Original References

The curl project has acknowledged this issue and has released a security advisory with more information about the vulnerability and affected versions:

- Curl Security Advisory

Additionally, the project has provided an update in the curl 7.88. release that addresses this vulnerability:

- curl 7.88. Release Notes

Mitigation

Users are urged to update their curl installations to version 7.88. or later to fix this vulnerability. The updated version properly carries the HSTS state between multiple requests on the same command line, ensuring that HTTPS connections are consistently used to comply with HSTS rules.

In conclusion, by upgrading to curl 7.88. or later, users can safely utilize HSTS support for all requests on a single command line sequence and avoid the risk of sending sensitive information over insecure clear-text HTTP connections.

Timeline

Published on: 02/23/2023 20:15:00 UTC
Last modified on: 03/09/2023 19:15:00 UTC