#VU53584 Inadequate encryption strength in cURL


Published: 2021-05-26

Vulnerability identifier: #VU53584

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22897

CWE-ID: CWE-326

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cURL
Client/Desktop applications / Other client software

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to force applications use weak cryptographic ciphers.

The vulnerability exists due to a logic error when selecting TLS ciphers during connection via the CURLOPT_SSL_CIPHER_LIST option in libcurl. The selected cipher set was stored in a single "static" variable in the library that is used for multiple concurrent transfers within the specific application, the last one that sets the ciphers will accidentally control the set used by all transfers.

The vulnerability can be triggered when Schannel is used, which is the native TLS library in Microsoft Windows.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cURL: 7.61.0 - 7.76.1


External links
http://curl.haxx.se/docs/CVE-2021-22897.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability