{"id":23091,"date":"2022-01-21T01:12:45","date_gmt":"2022-01-21T00:12:45","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=23091"},"modified":"2024-10-05T21:33:39","modified_gmt":"2024-10-05T19:33:39","slug":"windows-january-2022-security-updates-for-curl-vulnerability-cve-2021-22947-a-tough-task-for-security-reporters","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/01\/21\/windows-january-2022-security-updates-for-curl-vulnerability-cve-2021-22947-a-tough-task-for-security-reporters\/","title":{"rendered":"Windows January 2022 security updates for cURL vulnerability CVE-2021-22947 – a tough task for security reporters"},"content":{"rendered":"

\"Sicherheit[German<\/a>]As of January 11, 2022, Microsoft has closed the CVE-2021-22947 vulnerability in Windows 10, Windows 11 and their server counterparts with various security updates. The CVE-2021-22947 vulnerability affects the Curl library and was reported by German security researcher Stefan Kanthak back in the summer of 2021. I have the tenacious correspondence between Kanthak and the MSRC, so I can rehash this case here in the blog.<\/p>\n

<\/p>\n

This is what cURL is all about<\/h2>\n

\"\"Microsoft has included the cURL package with Windows 10 since the beginning of 2018. This is both a program library and a command line program for transferring files in computer networks. cURL is under the open MIT license and has been ported to various operating systems.<\/p>\n

However, Microsoft has the problem that they are trumpeting that they will deliver cURL with Windows 10 (and currently Windows 11). But the maintenance of the cURL package, especially with regard to closing known vulnerabilities, is Microsoft-like. The package is not patched for two years, and a remote code execution vulnerability in cURL that is classified as critical takes more than half a year – and 3 months after its disclosure – to be patched. And the Janauar 2022 patch may not be installed due to collateral damage.<\/p>\n

cURL vulnerability: Microsoft's first confirmation<\/h2>\n

Vulnerability CVE-2021-22945<\/a> exists in the cURL package. When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS and switch to TLS security, the server can respond and return multiple responses at once, which curl caches. curl then switches to TLS, but does not empty the queue of cached responses, but continues to use and trust the responses it received *before* the TLS handshake, as if they were authenticated.<\/p>\n

Through this vulnerability, a man-in-the-middle attacker can first inject the forged responses, then pass TLS traffic from the legitimate server and trick curl into sending data back to the user, assuming that the data injected by the attacker comes from the TLS-protected server.<\/p>\n

The vulnerability was discovered by Stefan Kanthak and reported to Microsoft. I do not have the initial message from Kanthak to the Microsoft Security Response Center (MSRC) because Stefan Kanthak only provided me with an excerpt of the correspondence. On Monday, July 26, 2021, the MSRC confirmed the reported problem in Curl:<\/p>\n

From: Microsoft Security Response Center
\nReceived: Mon Jul 26 2021 08:05:07 GMT-0700 (Pacific Daylight Time)
\nTo: Stefan Kanthak
\nSubject: MSRC Case 66388 CRM:0461283373<\/p>\n

Hi Stefan,<\/p>\n

Here's an update on your case:<\/p>\n

MSRC Case 66388<\/p>\n

We confirmed the behavior you reported. We'll continue our investigation and determine how to address this issue.<\/p>\n

Please let me know if you have additional information that could aid our investigation, or if you have questions.<\/p>\n

Thanks!<\/p>\n

Duncan
\nMSRC<\/p><\/blockquote>\n

At this point, one could have indulged in the idea that the vulnerabilities would be closed by the upcoming patchday.<\/p>\n

Fix promised in October 2021 did arrive<\/h2>\n

After this case seemed to somehow fizzle out (no fix in October 2021; however, according to the text below, a patch was promised by Microsoft for October 2021), Stefan Kanthak followed up again on October 12, 2021<\/p>\n

From: Stefan Kanthak
\nReceived: Tue Oct 12 2021 15:45:15 GMT-0700 (Pacific Daylight Time)
\nTo: <Microsoft Security Response Center>; Microsoft Security Response Center; Microsoft Security Response Center
\nSubject: Re: MSRC Case 66388 CRM:0461283373<\/p>\n

Duncan <secure@microsoft.com> wrote Thursday, August 05, 2021 2:09 AM:<\/p>\n

> Hello Stefan,
\n>
\n> Thank you for working with the MSRC!
\n>
\n> The fix is in development for your report, and is scheduled to be
\n> released in the October Microsoft Security Release on October 12th.<\/p>\n

WTF happened?<\/p>\n

1. Neither Link<\/a> nor KB5006670<\/a> nor KB5006672<\/a> list an update for curl.exe<\/em><\/p>\n

2. Link KB5006672<\/a> doesn't list curl.exe!<\/p>\n

3. 5006672.csv but lists the VULNERABLE and OUTDATED curl.exe 7.55.1, built more than 2 years ago:<\/p>\n

| curl.exe,7.55.1.0,12-Aug-2019,19:46,\"386,048\"
\n| curl.exe,7.55.1.0,12-Aug-2019,20:28,\"421,376\"
\n| curl.exe,7.55.1.0,12-Aug-2019,19:46,\"386,048\"
\n…
\n| Windows 10 version 1809 LCU Arm64-based,,,,
\n| File name,File version,Date,Time,File size
\n| curl.exe,7.55.1.0,12-Aug-2019,19:37,\"330,240\"
\n…
\n| curl.exe,7.55.1.0,12-Aug-2019,19:46,\"386,048\"
\n…
\n| curl.exe,7.55.1.0,12-Aug-2019,20:22,\"435,712\"<\/p>\n

You had more than TWO FULL MONTHS to build curl.exe from its CURRENT sources, but FAILED MISERABLY to do so!
\nWhat happened to Bill Gates' \"trustworthy computing\"?
\nIT'S A REAL SHAME!<\/p>\n

> Will that date work for you for a disclosure date?<\/p>\n

NOT ANY MORE!<\/p>\n

> Thank you again for working with us,<\/p>\n

not amused
\nStefan Kanthak<\/p><\/blockquote>\n

In October 2021, Windows 10 and Windows 11 (as well as their server counterparts) will ship with a curl version 7.55.1.0 dated August 14, 2017. There are numerous known vulnerabilities in this ancient version (it has been compiled by Microsoft in 2019). Microsoft's (MSRC) response to Kanthak's request came on October 12, 2021, confirming that the curl vulnerability has not been patched. The response from Microsoft (MSRC) came on October 12, 2021, confirming that the Curl vulnerability was not patched.<\/p>\n

Received: Tue Oct 12 2021 16:27:50 GMT-0700 (Pacific Daylight Time)To: <Microsoft Security Response Center>; Microsoft Security Response Center; Microsoft Security Response Center; Stefan KanthakSubject: Re: MSRC Case 66388 CRM:0461283373Hello Stefan,<\/p>\n

Thank you for checking back on the status of your submission. You are correct that the update for Curl was not included in this
\nmonth's security update release. We are checking on the status of your case and will respond once we have an understanding of the
\nengineering groups' plans.<\/p>\n

Our apologies for the confusion.<\/p>\n

Thank you for working with MSRC.
\nDuncan
\nMSRC<\/p><\/blockquote>\n

Stefan Kanthak then published the case on seclist.org<\/a> and writes the following there:<\/p>\n

In December 2017, Microsoft announced to ship curl.exe and tar.exe
\nwith Windows 10:
\n<Team Blog:Tar and curl come to Windows><\/p>\n

But they failed once again, MISERABLY, at least for curl: they took
\nthe sources released 2017-11-14, let them rot for 2 years, applied
\nsome patches, only to let them rot again since then!<\/p>\n

| C:\\Users\\Public>winver
\n| Microsoft Windows [Version 10.0.19042.1083]
\n|
\n| C:\\Users\\Public>curl -V
\n| curl 7.55.1 (Windows) libcurl\/7.55.1 WinSSL
\n| Release-Date: 2017-11-14, security patched: 2019-11-05
\n| Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
\n| Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL<\/p>\n

Version 7.55.1 is 34 releases and at least 15 (in words: FIFTEEN)
\nCVEs behind the current version 7.79.1: see
\n<https:\/\/curl.se\/docs\/releases.html<\/a>> and
\n<https:\/\/curl.se\/docs\/vulnerabilities.html<\/a>><\/p>\n

Most obviously Microsoft's processes are so bad that they can't
\nbuild a current version and have to ship ROTTEN software instead!<\/p>\n

stay tuned, and far away from such poorly maintained crap<\/p><\/blockquote>\n

So, Microsoft has been shipping curl.exe<\/em> with Windows 10 since the beginning of 2018 (the most secure Windows ever at the time, according to the manufacturer). However, Microsoft lets the old version of curl.exe<\/em> really rot for two years without caring about patches. Only at the end of 2019, some patches will be incorporated into a curl version. Then again, there will be no changes for two years, and no security updates.<\/p>\n

At the time the above vulnerability was reported by Stefan Kanthak, at least 20 vulnerabilities in curl were known and closed in the open source variant. Only Microsoft sleeps the sleep of the righteous. This leaves the observer speechless – although: This is Microsoft's program – I know other cases where libraries in ancient versions were integrated into products and diligently distributed.<\/p>\n

Christmas something is happening …<\/h2>\n

On December 24, 2021, Microsoft sent the following answer to Stefan Kanthak:<\/p>\n

From: \"Microsoft Security Response Center\" <secure@microsoft.com>
\nTo: \"Microsoft Security Response Center\" <secure@microsoft.com>; \"Microsoft Security Response Center\" <secure@microsoft.com>;
\n\"Microsoft Security Response Center\" <secure@microsoft.com>; \"Microsoft Security Response Center\" <secure@microsoft.com>; \"Stefan Kanthak\" <stefan.kanthak@nexgo.de>
\nSent: Friday, December 24, 2021 12:05 AM
\nSubject: RE: Re: MSRC Case 66388 CRM:0461283373<\/p>\n

Hello Stefan,<\/p>\n

The fix in development for your report has completed testing and is tentatively scheduled to be released in the upcoming Microsoft Security Release on January11th 2022. We will be referencing some of the CVEs that CURL has issued for recent updates, including CVE-2022-22947. While unlikely this is still subject to change, and I will be sure to notify you of any updates.<\/p>\n

Thank you again for working with us,<\/p>\n

Duncan<\/p>\n

MSRCFrom: Microsoft Security Response Center<\/p><\/blockquote>\n

There the fix was promised for January 11, 2022.<\/p>\n

… but it will be January 2022<\/h2>\n

In fact, an update really came on January 11, 2022 (Patchday) and the remote code execution vulnerability CVE-2021-22947<\/a> in curl<\/em>, which was rated critical, was closed in Windows 10 20H2 to 21H2, Windows Server 2022 as well as in Windows 11. The CVE had been requested via Hacker One, a description of CVE-2021-22947 can be found here<\/a> und hier<\/a>.<\/p>\n

In the meantime, Microsoft has identified Stefan Kanthak as the discoverer of the vulnerability – which probably only happened after another inquiry. Kanthak wrote in an email \"The Redmond company doesn't have enough time to thank me\". It is quite sportive, if a critical RCE vulnerability in a Curl library is fixed only after half a year.\u00a0 That's security by Microsoft – well girls and gals, keep your Windows and software updated – and hope, the vendor will patches vulnerabilities soon enough.<\/p>\n

Similar articles
\n<\/strong>Windows 10 and the OneDrive vulnerabilities<\/a>\u00a0\u2013 Part 1
\nWindows 10 and the OneDrive vulnerabilities<\/a>\u00a0\u2013 Part 2
\nWindows 10 and the OneDrive vulnerabilities<\/a>\u00a0\u2013 Part 3
\nVulnerabilities in Microsoft Visual C++ Runtime<\/a>
\nEdge and its poor installer security<\/a>
\nMicrosoft Teams and it's security<\/a>
\nEdge: Has Microsoft lost its track?<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]As of January 11, 2022, Microsoft has closed the CVE-2021-22947 vulnerability in Windows 10, Windows 11 and their server counterparts with various security updates. The CVE-2021-22947 vulnerability affects the Curl library and was reported by German security researcher Stefan Kanthak … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[69,195,194],"class_list":["post-23091","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-security","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=23091"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23091\/revisions"}],"predecessor-version":[{"id":35847,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23091\/revisions\/35847"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=23091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=23091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=23091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}