Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-B905DFF4-E227-11EA-B0EA-08002728F74C (CVE-2020-8231): curl -- expired pointer dereference vulnerability

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-B905DFF4-E227-11EA-B0EA-08002728F74C (CVE-2020-8231): curl -- expired pointer dereference vulnerability

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
08/19/2020
Created
08/21/2020
Added
08/20/2020
Modified
12/18/2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-B905DFF4-E227-11EA-B0EA-08002728F74C:

curl security problems:

CVE-2020-8231: wrong connect-only connection

An application that performs multiple requests with libcurl's multi API

and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances

experience that when subsequently using the setup connect-only transfer,

libcurl will pick and use the wrong connection - and instead pick

another one the application has created since then.

CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an

actual transfer, only connect. When that operation is completed, libcurl

remembers which connection it used for that transfer and "easy handle".

It remembers the connection using a pointer to the internal connectdata

struct in memory.

If more transfers are then done with the same multi handle before the

connect-only connection is used, leading to the initial connect-only

connection to get closed (for example due to idle time-out) while also

new transfers (and connections) are setup, such a new connection might

end up getting the exact same memory address as the now closed

connect-only connection.

If after those operations, the application then wants to use the

original transfer's connect-only setup to for example use

curl_easy_send() to send raw data over that connection, libcurl could

erroneously find an existing connection still being alive at the address

it remembered since before even though this is now a new and different

connection.

The application could then accidentally send data over that connection

which wasn't at all intended for that recipient, entirely unknowingly.

Solution(s)

  • freebsd-upgrade-package-curl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;