#VU53584 Inadequate encryption strength in cURL


Vulnerability identifier: #VU53584

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22897

CWE-ID: CWE-326

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cURL
Client/Desktop applications / Other client software

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to force applications use weak cryptographic ciphers.

The vulnerability exists due to a logic error when selecting TLS ciphers during connection via the CURLOPT_SSL_CIPHER_LIST option in libcurl. The selected cipher set was stored in a single "static" variable in the library that is used for multiple concurrent transfers within the specific application, the last one that sets the ciphers will accidentally control the set used by all transfers.

The vulnerability can be triggered when Schannel is used, which is the native TLS library in Microsoft Windows.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cURL: 7.61.0 - 7.76.1

External links
http://curl.haxx.se/docs/CVE-2021-22897.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Transformation Advisor
Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Splunk Enterprise update for third-party packages
Multiple vulnerabilities in Dell Data Protection Central
Splunk Universal Forwarder update for third-party packages
Multiple vulnerabilities in IBM MaaS360 Cloud Extender and Modules
Multiple vulnerabilities in Siemens SINEC INS
openEuler 20.03 LTS SP1 update for curl
cPanel update for EasyApache
Slackware Linux update for curl