CVE-2020-8285
📋 TL;DR
CVE-2020-8285 is a stack overflow vulnerability in curl's FTP wildcard parsing that allows remote attackers to crash applications or potentially execute arbitrary code via malicious FTP server responses. It affects curl versions 7.21.0 through 7.73.0 when using FTP with wildcard matching. Any application or system using vulnerable curl versions for FTP operations is at risk.
💻 Affected Systems
- curl
- libcurl
- any software using libcurl
📦 What is this software?
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Essbase by Oracle
Fedora by Fedoraproject
Fedora by Fedoraproject
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Peoplesoft Enterprise Peopletools by Oracle
Sinec Infrastructure Network Services by Siemens
View all CVEs affecting Sinec Infrastructure Network Services →
Solidfire by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if the stack overflow can be leveraged for arbitrary code execution.
Likely Case
Denial of service through application crash when connecting to malicious FTP servers with crafted wildcard responses.
If Mitigated
Limited impact if FTP functionality is disabled or if network controls prevent connections to untrusted FTP servers.
🎯 Exploit Status
Exploitation requires the victim to connect to a malicious FTP server, which can be achieved through phishing or compromised legitimate servers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 7.74.0
Vendor Advisory: https://curl.se/docs/CVE-2020-8285.html
Restart Required: Yes
Instructions:
1. Update curl to version 7.74.0 or later. 2. For Linux systems: Use package manager (apt-get upgrade curl, yum update curl, etc.). 3. For Windows: Download latest version from curl.se. 4. Restart any services or applications using libcurl.
🔧 Temporary Workarounds
Disable FTP wildcard matching
allPrevent curl from using wildcard matching in FTP operations
curl --disable ftp_wildcard
Block untrusted FTP connections
linuxUse firewall rules to restrict FTP connections to trusted servers only
iptables -A OUTPUT -p tcp --dport 21 -d trusted_ftp_server -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j DROP
🧯 If You Can't Patch
- Disable FTP functionality entirely in applications using curl
- Implement network segmentation to isolate systems using vulnerable curl versions
🔍 How to Verify
Check if Vulnerable:
Run 'curl --version' and check if version is between 7.21.0 and 7.73.0Check Version:
curl --version | head -1Verify Fix Applied:
After update, run 'curl --version' to confirm version is 7.74.0 or higher📡 Detection & Monitoring
Log Indicators:
- Multiple curl crashes with segmentation faults
- Unexpected termination of applications using libcurl
Network Indicators:
- Outbound FTP connections to unknown or suspicious servers
- FTP connections followed by application crashes
SIEM Query:
source="*curl*" AND ("segmentation fault" OR "stack overflow" OR "SIGSEGV")🔗 References
- http://seclists.org/fulldisclosure/2021/Apr/51
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://curl.se/docs/CVE-2020-8285.html
- https://github.com/curl/curl/issues/6255
- https://hackerone.com/reports/1045844
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/
- https://security.gentoo.org/glsa/202012-14
- https://security.netapp.com/advisory/ntap-20210122-0007/
- https://support.apple.com/kb/HT212325
- https://support.apple.com/kb/HT212326
- https://support.apple.com/kb/HT212327
- https://www.debian.org/security/2021/dsa-4881
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- http://seclists.org/fulldisclosure/2021/Apr/51
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://curl.se/docs/CVE-2020-8285.html
- https://github.com/curl/curl/issues/6255
- https://hackerone.com/reports/1045844
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/
- https://security.gentoo.org/glsa/202012-14
- https://security.netapp.com/advisory/ntap-20210122-0007/
- https://support.apple.com/kb/HT212325
- https://support.apple.com/kb/HT212326
- https://support.apple.com/kb/HT212327
- https://www.debian.org/security/2021/dsa-4881
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
