CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
80.5%
Issue Overview:
A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl’s multi API, and sets the CURLOPT_CONNECT_ONLY
option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-8231)
A malicious server can use the PASV
response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user, a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack. (CVE-2020-8284)
Libcurl offers a wildcard matching functionality, which allows a callback (set with CURLOPT_CHUNK_BGN_FUNCTION
) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns CURL_CHUNK_BGN_FUNC_SKIP
, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there’s a sufficient amount of file entries and if the callback returns “skip” enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors. (CVE-2020-8285)
Libcurl offers “OCSP stapling” via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool. As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend. (CVE-2020-8286)
Affected Packages:
curl
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update curl to update your system.
New Packages:
aarch64:
curl-7.76.1-4.amzn2.0.1.aarch64
libcurl-7.76.1-4.amzn2.0.1.aarch64
libcurl-devel-7.76.1-4.amzn2.0.1.aarch64
curl-debuginfo-7.76.1-4.amzn2.0.1.aarch64
i686:
curl-7.76.1-4.amzn2.0.1.i686
libcurl-7.76.1-4.amzn2.0.1.i686
libcurl-devel-7.76.1-4.amzn2.0.1.i686
curl-debuginfo-7.76.1-4.amzn2.0.1.i686
src:
curl-7.76.1-4.amzn2.0.1.src
x86_64:
curl-7.76.1-4.amzn2.0.1.x86_64
libcurl-7.76.1-4.amzn2.0.1.x86_64
libcurl-devel-7.76.1-4.amzn2.0.1.x86_64
curl-debuginfo-7.76.1-4.amzn2.0.1.x86_64
Red Hat: CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286
Mitre: CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | curl | < 7.76.1-4.amzn2.0.1 | curl-7.76.1-4.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | libcurl | < 7.76.1-4.amzn2.0.1 | libcurl-7.76.1-4.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | libcurl-devel | < 7.76.1-4.amzn2.0.1 | libcurl-devel-7.76.1-4.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | curl-debuginfo | < 7.76.1-4.amzn2.0.1 | curl-debuginfo-7.76.1-4.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | i686 | curl | < 7.76.1-4.amzn2.0.1 | curl-7.76.1-4.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | libcurl | < 7.76.1-4.amzn2.0.1 | libcurl-7.76.1-4.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | libcurl-devel | < 7.76.1-4.amzn2.0.1 | libcurl-devel-7.76.1-4.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | curl-debuginfo | < 7.76.1-4.amzn2.0.1 | curl-debuginfo-7.76.1-4.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | x86_64 | curl | < 7.76.1-4.amzn2.0.1 | curl-7.76.1-4.amzn2.0.1.x86_64.rpm |
Amazon Linux | 2 | x86_64 | libcurl | < 7.76.1-4.amzn2.0.1 | libcurl-7.76.1-4.amzn2.0.1.x86_64.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
80.5%