CVE-2023-27536

Vulnerability

An authentication bypass vulnerability exists in libcurl versions prior to 8.0.0. The connection reuse feature fails to verify changes to the CURLOPT_GSSAPI_DELEGATION option when reusing previously established connections. This flaw specifically affects transfers using krb5, Kerberos, Negotiate, or GSSAPI authentication mechanisms. If an application changes the delegation option between requests on the same connection, libcurl may reuse the connection with incorrect user permissions, bypassing intended authentication checks [1][2].

Exploitation

An attacker would need to be in a position where they can influence the connection reuse behavior of an application using libcurl with GSSAPI/Kerberos. The attack requires that the application changes the CURLOPT_GSSAPI_DELEGATION setting between successive requests on the same connection. No user interaction is required beyond normal application usage. The vulnerability can be triggered without any special network position if the attacker can control or coerce the application into altering the delegation option while reusing connections [1].

Impact

Successful exploitation could allow an attacker to bypass authentication mechanisms, potentially gaining unauthorized access to sensitive information or operations that should have been protected by the intended delegation restrictions. The impact is primarily on confidentiality and integrity, as the attacker may impersonate a different delegation level than intended [1].

Mitigation

Users should upgrade to libcurl version 8.0.0 or later, which includes the fix. The safest workaround is to disable connection reuse when changing CURLOPT_GSSAPI_DELEGATION between requests. Gentoo has released an updated package (>=net-misc/curl-8.3.0-r2) as part of GLSA 202310-12 [2]. No other workarounds are documented in the available references.