CVE-2022-27778
📋 TL;DR
This vulnerability in curl versions before 7.83.1 could cause the wrong file to be deleted when using the --no-clobber option with --remove-on-error. It affects systems using curl with these specific flags, potentially leading to unintended file deletion.
💻 Affected Systems
- curl
- libcurl
- applications using libcurl
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Solidfire \& Hci Management Node by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Critical system files could be deleted, causing system instability, data loss, or service disruption.
Likely Case
User data files or temporary files could be deleted unintentionally, causing data loss or application errors.
If Mitigated
With proper file permissions and monitoring, impact would be limited to non-critical files with minimal disruption.
🎯 Exploit Status
Exploitation requires ability to execute curl commands with specific flags. Proof of concept available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 7.83.1 and later
Vendor Advisory: https://curl.se/docs/CVE-2022-27778.html
Restart Required: No
Instructions:
1. Check current curl version: curl --version
2. Update curl using system package manager:
- Ubuntu/Debian: sudo apt update && sudo apt upgrade curl
- RHEL/CentOS: sudo yum update curl
- macOS: brew upgrade curl
3. Verify update: curl --version should show 7.83.1 or higher
🔧 Temporary Workarounds
Avoid vulnerable flag combination
allDo not use --no-clobber together with --remove-on-error flags in curl commands
# Replace: curl --no-clobber --remove-on-error ...
# With: curl --remove-on-error ... (without --no-clobber)
🧯 If You Can't Patch
- Audit all scripts and automation using curl for --no-clobber --remove-on-error combination
- Implement file permission restrictions to limit damage from unintended deletions
🔍 How to Verify
Check if Vulnerable:
Run: curl --version | head -1 | grep -q '7\.[0-8][0-2]\.[0-9]' && echo 'VULNERABLE' || echo 'SAFE'Check Version:
curl --version | head -1Verify Fix Applied:
Run: curl --version | head -1 | grep -q '7\.8[3-9]\.[0-9]\|7\.[9-9][0-9]\.[0-9]\|8\.[0-9]\.[0-9]' && echo 'PATCHED' || echo 'STILL VULNERABLE'📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletions following curl executions
- Application errors due to missing files after curl operations
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
process.name="curl" AND command_line:"--no-clobber" AND command_line:"--remove-on-error"🔗 References
- https://hackerone.com/reports/1553598
- https://security.netapp.com/advisory/ntap-20220609-0009/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://hackerone.com/reports/1553598
- https://security.netapp.com/advisory/ntap-20220609-0009/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.oracle.com/security-alerts/cpujul2022.html
