Libcurl Eventfd Double Close Vulnerability

A vulnerability exists in libcurl version 8.11.1, where the library incorrectly closes the same eventfd file descriptor twice. This issue arises when libcurl is built with the threaded resolver and eventfd is used for inter-thread messaging, a feature available only on 64-bit architectures. The double close occurs after a connection channel is terminated following a threaded name resolution, potentially leading to a race condition. This flaw can cause libcurl to behave unpredictably, which may have been noticed by users who avoided the vulnerable version or the eventfd feature.

Impact

Exploitation of this vulnerability could result in a double close of a file descriptor, creating a race condition that an attacker could exploit to gain control over file descriptors opened in another thread. This could lead to unauthorized access to sensitive information or manipulation of data. In the context of the NetApp advisory, the vulnerability is described as having a high impact, with the potential for sensitive information disclosure, unauthorized data modification, or causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating three threads: one that writes to a sensitive file, one that listens for incoming connections, and a curl thread that performs operations using libcurl. When the curl thread reaches the first close of the eventfd descriptor, the writer thread can open a sensitive file, which is assigned the same file descriptor. The curl thread then closes the descriptor again, and the listener thread can accept a connection from an external source, allowing the writer thread to inadvertently send data to the attacker.

Remediation

Users are advised to upgrade to libcurl version 8.12.0, apply the available patch, or disable eventfd use in their build. NetApp products affected by this vulnerability should be updated according to the guidance provided in the NetApp advisory.