curl wolfSSH SFTP Backend Host Verification Vulnerability

A vulnerability exists in curl's handling of SSH connections via the wolfSSH backend when using SFTP. The issue arises because the backend lacks proper host verification, leaving it susceptible to man-in-the-middle attacks. This vulnerability affects curl versions 7.69.0 through 8.16.0.

Impact

The absence of host verification in the wolfSSH SFTP implementation allows for man-in-the-middle attacks, where an attacker could intercept or alter the SFTP communication without detection.

Reproduction

To reproduce this vulnerability, curl must be built with the wolfSSH backend enabled. After building and installing wolfSSH with SFTP support, curl can be compiled to use this backend. Once installed, the curl version can be checked to confirm that wolfSSH is active. The vulnerability can be demonstrated by using SFTP commands that require host verification, such as those involving the '--ssh-knownhosts' or '--hostpubsha256' options, which will result in errors indicating that these features are not supported.

Remediation

Users can upgrade to curl version 8.17.0 or later, where this vulnerability is fixed. Alternatively, curl can be built with a different SSH backend.