curl and libcurl libssh Global known_hosts File Override Vulnerability

A vulnerability exists in curl and libcurl when using the libssh backend for SSH-based file transfers via SCP or SFTP. The issue arises because libssh can unintentionally accept connections to hosts not listed in the user-specified known_hosts file. Instead, it references a global known_hosts file, which is set at build time and typically located at /etc/ssh/ssh_known_hosts. This flaw allows for improper validation of host identities, as the global file can override user preferences, potentially leading to security risks.

Impact

This vulnerability can cause host identity validation to fail, allowing connections to untrusted hosts.

Reproduction

To reproduce this vulnerability, first compile curl with the libssh backend. Then, add a valid host entry to the global known_hosts file. After that, create an empty knownhosts file and use curl to connect to a host, specifying the knownhosts file. The connection will be accepted even though it should not be, demonstrating that the global known_hosts file has improperly overridden the user-specified file.

Remediation

Users can upgrade to curl version 8.18.0, which fixes this vulnerability by ensuring that both the user-specified and global known_hosts files are set to the same path, preventing the global file from overriding user preferences.