CVE-2022-27782 – libcurl incorrectly reuses TLS/SSH connections ... (How to Fix)

Q: What is the severity of CVE-2022-27782?

CVE-2022-27782 has a CVSS score of 7.5 (HIGH). libcurl incorrectly reuses TLS/SSH connections when security settings have changed, potentially allowing sensitive data to be transmitted over less secure connections. This affects any application using vulnerable libcurl versions for HTTPS or SSH transfers.

📋 TL;DR

libcurl incorrectly reuses TLS/SSH connections when security settings have changed, potentially allowing sensitive data to be transmitted over less secure connections. This affects any application using vulnerable libcurl versions for HTTPS or SSH transfers.

💻 Affected Systems

Products:

libcurl
curl
applications using libcurl

Versions: libcurl 7.16.0 through 7.83.0

Operating Systems: All operating systems using affected libcurl versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that change TLS/SSH options between requests while reusing connections.

📦 What is this software?

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive data transmitted over downgraded or misconfigured TLS/SSH connections, leading to interception or man-in-the-middle attacks.

🟠

Likely Case

Accidental data leakage when applications change security settings between requests but connections are incorrectly reused.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring of connection security parameters.

🌐 Internet-Facing: MEDIUM - Requires specific conditions where security settings change between requests to internet services.

🏢 Internal Only: LOW - Internal network threats are less likely to exploit this specific connection reuse issue.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires control over TLS/SSH configuration changes between requests and ability to intercept connections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libcurl 7.83.1

Vendor Advisory: https://curl.se/docs/CVE-2022-27782.html

Restart Required: Yes

Instructions:

1. Update libcurl to version 7.83.1 or later. 2. Recompile applications using libcurl. 3. Restart affected services.

🔧 Temporary Workarounds

Disable connection reuse

all

Prevent libcurl from reusing connections entirely

curl_easy_setopt(curl, CURLOPT_FORBID_REUSE, 1L)

Force new connections

all

Close connections after each request

curl_easy_setopt(curl, CURLOPT_FRESH_CONNECT, 1L)

🧯 If You Can't Patch

Monitor for unexpected TLS/SSH connection downgrades
Implement network segmentation to limit exposure

🔍 How to Verify

Check if Vulnerable:

Check libcurl version: curl --version | head -1

Check Version:

curl --version | head -1

Verify Fix Applied:

Verify version is 7.83.1 or higher: curl --version | grep -E '^curl 7\.(8[3-9]|[9-9][0-9])'

📡 Detection & Monitoring

Log Indicators:

Unexpected TLS version changes between requests
SSH connection parameter mismatches

Network Indicators:

TLS/SSL handshake anomalies for reused connections
Inconsistent cipher suite usage

SIEM Query:

source="*curl*" AND ("TLS" OR "SSL") AND "reuse" AND "mismatch"

📊 Metadata

CVE ID: CVE-2022-27782

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-840

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2023/03/20/6 Mailing List
https://hackerone.com/reports/1555796 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202212-01 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0009/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5197 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/03/20/6 Mailing List
https://hackerone.com/reports/1555796 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202212-01 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0009/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5197 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27782, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Curl by Haxx

Debian Linux by Debian

Debian Linux by Debian

Universal Forwarder by Splunk

Universal Forwarder by Splunk

Universal Forwarder by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable connection reuse

Force new connections

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities