libcurl Negotiate Authentication Connection Reuse Vulnerability

A vulnerability exists in libcurl versions 7.10.6 prior to 8.19.0, allowing incorrect reuse of connections during Negotiate-authenticated HTTP or HTTPS requests. This issue arises because Negotiate can authenticate connections rather than individual requests, leading to potential credential mismatches. When an application sends requests to the same server using different Negotiate credentials while a connection is still active, the second request may inadvertently use the first connection's credentials. This flaw also affects the curl command line tool.

Impact

Exploitation of this vulnerability can lead to authentication bypass, allowing a request to be sent with incorrect credentials, potentially causing unauthorized actions or access.

Reproduction

To reproduce this vulnerability, send a Negotiate-authenticated request to a server using specific credentials (user1:password1). While the connection is still active, send another request to the same server using different credentials (user2:password2). The second request will incorrectly reuse the connection authenticated for user1, leading to an authentication mismatch.

Remediation

Users can upgrade to curl and libcurl version 8.19.0, apply the patch and rebuild libcurl, or avoid using HTTP Negotiate in their application.