Windows January 2022 security updates for cURL vulnerability CVE-2021-22947 – a tough task for security reporters

Sicherheit (Pexels, allgemeine Nutzung)[German]As of January 11, 2022, Microsoft has closed the CVE-2021-22947 vulnerability in Windows 10, Windows 11 and their server counterparts with various security updates. The CVE-2021-22947 vulnerability affects the Curl library and was reported by German security researcher Stefan Kanthak back in the summer of 2021. I have the tenacious correspondence between Kanthak and the MSRC, so I can rehash this case here in the blog.


Advertising

This is what cURL is all about

Microsoft has included the cURL package with Windows 10 since the beginning of 2018. This is both a program library and a command line program for transferring files in computer networks. cURL is under the open MIT license and has been ported to various operating systems.

However, Microsoft has the problem that they are trumpeting that they will deliver cURL with Windows 10 (and currently Windows 11). But the maintenance of the cURL package, especially with regard to closing known vulnerabilities, is Microsoft-like. The package is not patched for two years, and a remote code execution vulnerability in cURL that is classified as critical takes more than half a year – and 3 months after its disclosure – to be patched. And the Janauar 2022 patch may not be installed due to collateral damage.

cURL vulnerability: Microsoft's first confirmation

Vulnerability CVE-2021-22945 exists in the cURL package. When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS and switch to TLS security, the server can respond and return multiple responses at once, which curl caches. curl then switches to TLS, but does not empty the queue of cached responses, but continues to use and trust the responses it received *before* the TLS handshake, as if they were authenticated.

Through this vulnerability, a man-in-the-middle attacker can first inject the forged responses, then pass TLS traffic from the legitimate server and trick curl into sending data back to the user, assuming that the data injected by the attacker comes from the TLS-protected server.

The vulnerability was discovered by Stefan Kanthak and reported to Microsoft. I do not have the initial message from Kanthak to the Microsoft Security Response Center (MSRC) because Stefan Kanthak only provided me with an excerpt of the correspondence. On Monday, July 26, 2021, the MSRC confirmed the reported problem in Curl:


Advertising

From: Microsoft Security Response Center
Received: Mon Jul 26 2021 08:05:07 GMT-0700 (Pacific Daylight Time)
To: Stefan Kanthak
Subject: MSRC Case 66388 CRM:0461283373

Hi Stefan,

Here's an update on your case:

MSRC Case 66388

We confirmed the behavior you reported. We'll continue our investigation and determine how to address this issue.

Please let me know if you have additional information that could aid our investigation, or if you have questions.

Thanks!

Duncan
MSRC

At this point, one could have indulged in the idea that the vulnerabilities would be closed by the upcoming patchday.

Fix promised in October 2021 did arrive

After this case seemed to somehow fizzle out (no fix in October 2021; however, according to the text below, a patch was promised by Microsoft for October 2021), Stefan Kanthak followed up again on October 12, 2021

From: Stefan Kanthak
Received: Tue Oct 12 2021 15:45:15 GMT-0700 (Pacific Daylight Time)
To: <Microsoft Security Response Center>; Microsoft Security Response Center; Microsoft Security Response Center
Subject: Re: MSRC Case 66388 CRM:0461283373

Duncan <secure@microsoft.com> wrote Thursday, August 05, 2021 2:09 AM:

> Hello Stefan,
>
> Thank you for working with the MSRC!
>
> The fix is in development for your report, and is scheduled to be
> released in the October Microsoft Security Release on October 12th.

WTF happened?

1. Neither Link nor KB5006670 nor KB5006672 list an update for curl.exe

2. Link KB5006672 doesn't list curl.exe!

3. 5006672.csv but lists the VULNERABLE and OUTDATED curl.exe 7.55.1, built more than 2 years ago:

| curl.exe,7.55.1.0,12-Aug-2019,19:46,"386,048"
| curl.exe,7.55.1.0,12-Aug-2019,20:28,"421,376"
| curl.exe,7.55.1.0,12-Aug-2019,19:46,"386,048"

| Windows 10 version 1809 LCU Arm64-based,,,,
| File name,File version,Date,Time,File size
| curl.exe,7.55.1.0,12-Aug-2019,19:37,"330,240"

| curl.exe,7.55.1.0,12-Aug-2019,19:46,"386,048"

| curl.exe,7.55.1.0,12-Aug-2019,20:22,"435,712"

You had more than TWO FULL MONTHS to build curl.exe from its CURRENT sources, but FAILED MISERABLY to do so!
What happened to Bill Gates' "trustworthy computing"?
IT'S A REAL SHAME!

> Will that date work for you for a disclosure date?

NOT ANY MORE!

> Thank you again for working with us,

not amused
Stefan Kanthak

In October 2021, Windows 10 and Windows 11 (as well as their server counterparts) will ship with a curl version 7.55.1.0 dated August 14, 2017. There are numerous known vulnerabilities in this ancient version (it has been compiled by Microsoft in 2019). Microsoft's (MSRC) response to Kanthak's request came on October 12, 2021, confirming that the curl vulnerability has not been patched. The response from Microsoft (MSRC) came on October 12, 2021, confirming that the Curl vulnerability was not patched.

Received: Tue Oct 12 2021 16:27:50 GMT-0700 (Pacific Daylight Time)To: <Microsoft Security Response Center>; Microsoft Security Response Center; Microsoft Security Response Center; Stefan KanthakSubject: Re: MSRC Case 66388 CRM:0461283373Hello Stefan,

Thank you for checking back on the status of your submission. You are correct that the update for Curl was not included in this
month's security update release. We are checking on the status of your case and will respond once we have an understanding of the
engineering groups' plans.

Our apologies for the confusion.

Thank you for working with MSRC.
Duncan
MSRC

Stefan Kanthak then published the case on seclist.org and writes the following there:

In December 2017, Microsoft announced to ship curl.exe and tar.exe
with Windows 10:
<Team Blog:Tar and curl come to Windows>

But they failed once again, MISERABLY, at least for curl: they took
the sources released 2017-11-14, let them rot for 2 years, applied
some patches, only to let them rot again since then!

| C:\Users\Public>winver
| Microsoft Windows [Version 10.0.19042.1083]
|
| C:\Users\Public>curl -V
| curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
| Release-Date: 2017-11-14, security patched: 2019-11-05
| Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
| Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL

Version 7.55.1 is 34 releases and at least 15 (in words: FIFTEEN)
CVEs behind the current version 7.79.1: see
<https://curl.se/docs/releases.html> and
<https://curl.se/docs/vulnerabilities.html>

Most obviously Microsoft's processes are so bad that they can't
build a current version and have to ship ROTTEN software instead!

stay tuned, and far away from such poorly maintained crap

So, Microsoft has been shipping curl.exe with Windows 10 since the beginning of 2018 (the most secure Windows ever at the time, according to the manufacturer). However, Microsoft lets the old version of curl.exe really rot for two years without caring about patches. Only at the end of 2019, some patches will be incorporated into a curl version. Then again, there will be no changes for two years, and no security updates.

At the time the above vulnerability was reported by Stefan Kanthak, at least 20 vulnerabilities in curl were known and closed in the open source variant. Only Microsoft sleeps the sleep of the righteous. This leaves the observer speechless – although: This is Microsoft's program – I know other cases where libraries in ancient versions were integrated into products and diligently distributed.

Christmas something is happening …

On December 24, 2021, Microsoft sent the following answer to Stefan Kanthak:

From: "Microsoft Security Response Center" <secure@microsoft.com>
To: "Microsoft Security Response Center" <secure@microsoft.com>; "Microsoft Security Response Center" <secure@microsoft.com>;
"Microsoft Security Response Center" <secure@microsoft.com>; "Microsoft Security Response Center" <secure@microsoft.com>; "Stefan Kanthak" <stefan.kanthak@nexgo.de>
Sent: Friday, December 24, 2021 12:05 AM
Subject: RE: Re: MSRC Case 66388 CRM:0461283373

Hello Stefan,

The fix in development for your report has completed testing and is tentatively scheduled to be released in the upcoming Microsoft Security Release on January11th 2022. We will be referencing some of the CVEs that CURL has issued for recent updates, including CVE-2022-22947. While unlikely this is still subject to change, and I will be sure to notify you of any updates.

Thank you again for working with us,

Duncan

MSRCFrom: Microsoft Security Response Center

There the fix was promised for January 11, 2022.

… but it will be January 2022

In fact, an update really came on January 11, 2022 (Patchday) and the remote code execution vulnerability CVE-2021-22947 in curl, which was rated critical, was closed in Windows 10 20H2 to 21H2, Windows Server 2022 as well as in Windows 11. The CVE had been requested via Hacker One, a description of CVE-2021-22947 can be found here und hier.

In the meantime, Microsoft has identified Stefan Kanthak as the discoverer of the vulnerability – which probably only happened after another inquiry. Kanthak wrote in an email "The Redmond company doesn't have enough time to thank me". It is quite sportive, if a critical RCE vulnerability in a Curl library is fixed only after half a year.  That's security by Microsoft – well girls and gals, keep your Windows and software updated – and hope, the vendor will patches vulnerabilities soon enough.

Similar articles
Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3
Vulnerabilities in Microsoft Visual C++ Runtime
Edge and its poor installer security
Microsoft Teams and it's security
Edge: Has Microsoft lost its track?


Advertising

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).