SB2022100711 - Multiple vulnerabilities in IBM Spectrum Copy Data Management
Published: October 7, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.
2) Information disclosure (CVE-ID: CVE-2022-27774)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl attempts to follow redirects during authentication process and does not consider different port numbers or protocols to be separate authentication targets. If the web application performs redirection to a different port number of protocol, cURL will allow such redirection and will pass credentials. It could also leak the TLS SRP credentials this way.
By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.
3) Insufficient verification of data authenticity (CVE-ID: CVE-2021-22947)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in the way libcurl handles the STARTTLS negotiation process. When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple "pipelined" responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.
Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
Over POP3 and IMAP an attacker can inject fake response data.
4) Improper Authentication (CVE-ID: CVE-2022-22576)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when re-using OAUTH2 connections for SASL-enabled protocols, such as SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl may reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. As a result, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer can subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer.
A remote attacker can exploit this vulnerability against applications intended for use in multi-user environments to bypass authentication and gain unauthorized access to victim's accounts.
5) Information disclosure (CVE-ID: CVE-2022-27776)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl can leak authentication or cookie header data during HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme.
The vulnerability exists due to an incomplete fix for #VU10224 (CVE-2018-1000007).
6) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-22946)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error, related to incorrect enforcement of the --ssl-reqd option on the command line or CURLOPT_USE_SSL setting set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl. A remote attacker with control over the IMAP, POP3 or FTP server can send a specially crafted but perfectly legitimate response to the libcurl client and force it silently to continue its operations without TLS encryption and transmit data in clear text over the network.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-libcurl-may-affect-ibm-spectrum-copy-data-management-cve-2022-27782-cve-2022-27774-cve-2021-22947-cve-2022-22576-cve-2022-27776-cve-2021-22946/"
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-libcurl-may-affect-ibm-spectrum-copy-data-management-cve-2022-27782-cve-2022-27774-cve-2021-22947-cve-2022-22576-cve-2022-27776-cve-2021-22946/</a><br>
- https://www.ibm.com/support/pages/node/6620213<br><br></p>