CVE-2023-27535

Vulnerability

The vulnerability resides in libcurl's FTP connection reuse feature. When reusing a connection from the pool, libcurl checks certain settings to ensure the connection matches the new transfer. However, the settings CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing connections to be reused even when these settings differ. This affects libcurl versions prior to 8.0.0 [2].

Exploitation

An attacker who can influence the FTP settings used by a libcurl-based application (e.g., by controlling the URL or options) could cause a connection to be reused with credentials intended for a different server or user. No authentication is required beyond the ability to trigger a transfer with specific settings. The attacker does not need network position if they can control the application's configuration. The sequence: the application creates a connection with certain credentials and settings; later, a transfer with different settings (but same host/port) reuses the connection, using the original credentials.

Impact

Successful exploitation allows an attacker to use wrong credentials for an FTP transfer, potentially gaining unauthorized access to sensitive information on the FTP server. The impact is information disclosure; the attacker may read or write files as the original user. The privilege level is that of the original authenticated user.

Mitigation

The vulnerability is fixed in libcurl version 8.0.0. Users should upgrade to at least this version. For Gentoo, the fixed version is >=net-misc/curl-8.3.0-r2 [2]. No workaround is known [2]. If upgrade is not possible, avoid using the affected FTP settings or disable connection reuse.