curl and libcurl SMB Connection Reuse Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in curl and libcurl versions 8.13.0 through 8.18.0, specifically within the SMB protocol handling. The issue arises when a second SMB request is made to the same host. Curl improperly uses a data pointer that references already freed memory, which can lead to undefined behavior. Although this vulnerability has the potential to cause a crash or other noticeable issues, it is considered difficult for an attacker to exploit intentionally. However, there is a slight risk of leaking sensitive information if the freed memory is reallocated with attacker-controlled data before being read.

Impact

Exploitation of this vulnerability causes a heap-use-after-free error, which is reported by the AddressSanitizer (ASan) memory error detector. This type of error can lead to a program crash, creating a denial-of-service condition. Additionally, if the freed memory is reallocated with malicious data before the use-after-free occurs, there could be a risk of information disclosure or further memory corruption.

Reproduction

The vulnerability can be reproduced by first building curl from the master branch with the SMB option enabled and AddressSanitizer activated. After compiling curl, the fake SMB server should be started. Once the server is running, curl can be executed with two SMB URLs pointing to the same host. The AddressSanitizer will report the use-after-free error when the second request is processed.

Remediation

Users can upgrade to curl and libcurl version 8.19.0, where this vulnerability has been fixed. Alternatively, the patch can be applied to the libcurl version in use and then rebuild the library.