CVE-2021-22926
📋 TL;DR
This vulnerability allows attackers to trick libcurl applications into using a malicious client certificate instead of the intended one when running in writable directories like /tmp. It affects applications using libcurl with Secure Transport on macOS that specify client certificates by name rather than file path. This can lead to authentication bypass or impersonation in TLS connections.
💻 Affected Systems
- libcurl
- Applications using libcurl with Secure Transport backend
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Sinec Infrastructure Network Services by Siemens
View all CVEs affecting Sinec Infrastructure Network Services →
Solidfire by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing attackers to impersonate legitimate users or services in TLS connections, potentially leading to data theft or unauthorized access.
Likely Case
Authentication failures or incorrect client certificate usage in TLS handshakes, potentially causing service disruptions or limited unauthorized access.
If Mitigated
No impact if applications don't use client certificates by name or run in secure directories with proper permissions.
🎯 Exploit Status
Exploitation requires local access to create files in the application's working directory. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libcurl 7.77.0 and later
Vendor Advisory: https://curl.se/docs/CVE-2021-22926.html
Restart Required: Yes
Instructions:
1. Update libcurl to version 7.77.0 or later. 2. Rebuild applications using libcurl. 3. Restart affected services. 4. Verify the fix by checking libcurl version and testing certificate functionality.
🔧 Temporary Workarounds
Use absolute file paths for certificates
allSpecify client certificates using absolute file paths instead of names to prevent directory traversal attacks.
Replace CURLOPT_SSLCERT "certname" with CURLOPT_SSLCERT "/absolute/path/to/cert.pem"
Secure working directory permissions
linuxEnsure applications run in directories with proper permissions that prevent other users from creating files.
chmod 700 /application/working/directory
chown appuser:appgroup /application/working/directory
🧯 If You Can't Patch
- Ensure applications run in secure directories with proper permissions (not world-writable like /tmp)
- Use absolute file paths for all certificate specifications instead of certificate names
🔍 How to Verify
Check if Vulnerable:
Check libcurl version: curl --version. If version is earlier than 7.77.0 and application uses Secure Transport on macOS with certificate names, it's vulnerable.Check Version:
curl --version | head -1Verify Fix Applied:
Verify libcurl version is 7.77.0 or later: curl --version. Test client certificate functionality with both name and file specifications.📡 Detection & Monitoring
Log Indicators:
- Failed TLS handshakes
- Certificate validation errors
- Unexpected certificate usage in authentication logs
Network Indicators:
- TLS connection failures with certificate errors
- Unexpected client certificate presentations
SIEM Query:
source="*tls*" AND ("certificate error" OR "handshake failure") AND process="*curl*" OR process="*application*"🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1234760
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E
- https://security.gentoo.org/glsa/202212-01
- https://security.netapp.com/advisory/ntap-20210902-0003/
- https://security.netapp.com/advisory/ntap-20211022-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1234760
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E
- https://security.gentoo.org/glsa/202212-01
- https://security.netapp.com/advisory/ntap-20210902-0003/
- https://security.netapp.com/advisory/ntap-20211022-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
