libcurl Wrong Connection Reuse Vulnerability in SMB Transfers

A vulnerability exists in libcurl versions 7.40.0 through 8.19.0, where the library may incorrectly reuse SMB connections for transfers. This issue arises because libcurl maintains a pool of recent connections to reduce overhead, but a logical error allows a transfer to reuse a connection that is linked to a different 'share' on the same server. As a result, this flaw could lead to downloading the wrong file or uploading a file to an incorrect location, all while using the same credentials and server name.

Impact

Exploitation of this vulnerability can cause data spoofing by allowing an attacker to replace expected files with malicious ones, bypassing application-level URL restrictions. This could lead to processing sensitive information as untrusted data, potentially causing server-side request forgery (SSRF) or executing arbitrary code, depending on how the application handles the files.

Reproduction

The vulnerability can be reproduced by setting up a Samba server with two shares, 'share1' and 'share2'. After creating the shares and adding files to them, the issue can be demonstrated by using curl to sequentially request files from both shares. Due to the connection reuse flaw, curl will fetch the file from 'share1' when 'share2' is requested, effectively spoofing the data.

Remediation

Users are advised to upgrade to curl and libcurl version 8.20.0, where this vulnerability has been fixed. Alternatively, the patch can be applied manually and libcurl rebuilt.