curl and libcurl Negotiate Authentication Connection Reuse Vulnerability

A vulnerability exists in curl and libcurl versions 7.10.6 prior to 8.20.0, where the library may incorrectly reuse connections for authenticated HTTP(S) requests. This issue arises after a Negotiate authentication has been performed on the same host. The flaw allows an application to unintentionally mix credentials between two users, potentially leading to unauthorized access or actions on behalf of the first user.

Impact

Exploitation of this vulnerability allows for cross-user authentication impersonation, where one user can be authenticated as another on servers using persistent Negotiate authentication, such as Windows IIS with Kerberos. This could lead to unauthorized access to sensitive data and the ability to perform actions on behalf of the impersonated user.

Reproduction

The vulnerability can be reproduced by first authenticating a connection using Negotiate with one set of credentials, and then sending a request with a different set of credentials while reusing the same connection. This can be done using the curl command-line tool or through a program that uses libcurl's multi-handle feature, which shares a connection pool.

Remediation

Users are advised to upgrade to curl and libcurl version 8.20.0 or later, or to apply the patch available in the curl GitHub repository.