[arch-security] [ASA-201602-3] curl: authentication bypass

Levente Polyak anthraxx at archlinux.org
Tue Feb 2 13:41:58 UTC 2016


Arch Linux Security Advisory ASA-201602-3
=========================================

Severity: Low
Date    : 2016-02-02
CVE-ID  : CVE-2016-0755
Package : curl
Type    : authentication bypass
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package curl before version 7.47.0-1 is vulnerable to authentication
bypass.

Resolution
==========

Upgrade to 7.47.0-1.

# pacman -Syu "curl>=7.47.0-1"

The problem has been fixed upstream in version 7.47.0.

Workaround
==========

None.

Description
===========

A vulnerability was found in a way libcurl uses NTLM-authenticated proxy
connections. Libcurl will reuse NTLM-authenticated proxy connections
without properly making sure that the connection was authenticated with
the same credentials as set for this transfer.

Since NTLM-based authentication is connection oriented instead of
request oriented as other HTTP based authentication, it is important
that only connections that have been authenticated with the correct
username + password are reused. This was done properly for server
connections already, but libcurl failed to do it properly for proxy
connections using NTLM, which might allow remote attackers to
authenticate as other users via a request.

Impact
======

A remote attacker is able to authenticate as other users via a request
without providing any NTLM credentials.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0755
http://curl.haxx.se/docs/adv_20160127A.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160202/b5615a95/attachment.asc>


More information about the arch-security mailing list