{"id":19480,"date":"2022-12-21T22:57:56","date_gmt":"2022-12-21T21:57:56","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=19480"},"modified":"2022-12-22T22:59:49","modified_gmt":"2022-12-22T21:59:49","slug":"the-2022-curl-security-audit","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2022\/12\/21\/the-2022-curl-security-audit\/","title":{"rendered":"The 2022 curl security audit"},"content":{"rendered":"\n<p><em>tldr: several hundred hours of dedicated scrutinizing of curl by a team of security experts resulted in two CVEs and a set of less serious remarks.<\/em> The link to the reports is at the bottom of this article.<\/p>\n\n\n\n<p>Thanks to an <a href=\"https:\/\/openssf.org\/\">OpenSSF<\/a> grant, <a href=\"https:\/\/ostif.org\/\">OSTIF<\/a> helped  us set up a curl security audit, which the excellent <a href=\"https:\/\/www.trailofbits.com\/\">Trail of Bits<\/a> was selected to perform in September 2022. We are most grateful to OpenSSF for doing this for us, and I hope all users who use and rely on curl recognize this extraordinary gift. <a href=\"https:\/\/ostif.org\/the-ostif-audit-of-curl-with-trail-of-bits-is-complete\/\">OSTIF <\/a>and <a href=\"https:\/\/blog.trailofbits.com\/2022\/12\/22\/curl-security-audit-threat-model\/\">Trail of Bits<\/a> both posted articles about this audit separately.<\/p>\n\n\n\n<p>We previously had an <a href=\"https:\/\/daniel.haxx.se\/blog\/2016\/11\/23\/curl-security-audit\/\" data-type=\"post\" data-id=\"9346\">audit performed on curl back in 2016<\/a> by <a href=\"https:\/\/cure53.de\/\">Cure53<\/a> (sponsored by Mozilla) but I like to think that we (curl) have traveled quite far and matured a lot since those days. The fixes from the discoveries reported in that old previous audit were all merged and shipped in the 7.51.0 release, in November 2016. Now over six years ago.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes since previous audit<\/h2>\n\n\n\n<p>We have done a lot in the project that have improved our general security situation over the last six years. I believe we are in a <em>much<\/em> better place than the last time around. But we have also grown and developed a lot more features since then.<\/p>\n\n\n\n<p>curl is now at<strong>150,000<\/strong> lines of C code. This count is for &#8220;product code&#8221; only and excludes blank lines but includes <strong>19%<\/strong> comments.<\/p>\n\n\n\n<p><strong>71<\/strong> additional vulnerabilities have been reported and fixed since then. (<strong>42<\/strong> of those even existed in the version that was audited in 2016 but were obviously not detected)<\/p>\n\n\n\n<p>We have <strong>30,000<\/strong> additional lines of code today (+27%), and we have done over <strong>8,000<\/strong> commits since.<\/p>\n\n\n\n<p>We have <strong>50%<\/strong> more test cases (now 1550).<\/p>\n\n\n\n<p>We have done <strong>47<\/strong> releases featuring more than <strong>4,200<\/strong> documented bugfixes and 150 changes\/new features.<\/p>\n\n\n\n<p>We have <strong>25<\/strong> times the number of CI jobs: up from 5 in 2016 to <strong>127<\/strong> today.<\/p>\n\n\n\n<p>The OSS-Fuzz project started fuzzing curl in 2017, and it has been fuzzing curl non-stop since.<\/p>\n\n\n\n<p>We <a href=\"https:\/\/daniel.haxx.se\/blog\/2020\/09\/23\/a-google-grant-for-libcurl-work\/\">introduced our &#8220;dynbuf&#8221; system<\/a> internally in 2020 for managing growing buffers to maybe avoid common C mistakes around those.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Audit<\/h2>\n\n\n\n<p>The Trail of Bits team was assigned this as a three-part project:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a Threat Model document<\/li>\n\n\n\n<li>Testing Analysis and Improvements<\/li>\n\n\n\n<li>Secure code Review<\/li>\n<\/ol>\n\n\n\n<p>The project was setup to use a total of 380 man hours and most of the time two Trail of Bits engineers worked in parallel on the different tasks. The Trail of Bits team themselves eventually also voluntarily extended the program with about a week. They had no problems finding people who wanted to join in and look into curl. We can safely say that they spent a significant amount of time and effort scrutinizing curl.<\/p>\n\n\n\n<p>The curl security team members had frequent status meetings and assisted with details and could help answer questions. We would also get updates and reports on how they progressed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Two security vulnerabilities were confirmed<\/h2>\n\n\n\n<p>The first vulnerability they found ended up known as the <a href=\"https:\/\/curl.se\/docs\/CVE-2022-42915.html\">CVE-2022-42915: HTTP proxy double-free<\/a> issue.<\/p>\n\n\n\n<p>The second vulnerability was found after Trail of Bits had actually ended their work and their report, while they were still running a fuzzer that triggered a separate flaw. This second vulnerability is not covered in the report but was disclosed earlier today in sync with the curl 7.87.0 release announcement: <a href=\"https:\/\/curl.se\/docs\/CVE-2022-43552.html\">CVE-2022-43552: HTTP Proxy deny use-after-free<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Minor frictions detected<\/h2>\n\n\n\n<p>Discoveries and remarks highlighted through their work that were not consider security sensitive we could handle on the fly. Some examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li> Using <code>--ssl<\/code> now outputs a warning saying it is unsafe and instead recommending <code>--ssl-reqd<\/code> to be used.<\/li>\n\n\n\n<li>The <code>Alt-svc:<\/code> header parser did not deal with illegal port numbers correctly<\/li>\n\n\n\n<li>The URL parser accepted &#8220;illegal&#8221; characters in the host name part.<\/li>\n\n\n\n<li>Harmless memory leaks<\/li>\n<\/ul>\n\n\n\n<p>You should of course read the full reports to learn about all the twenty something issues with all details, including feedback from the curl security team.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Actions<\/h2>\n\n\n\n<p>The curl team acted on all reported issues that we think we could act on. We disagree with the Trail of Bits team on a few issues and there are some that are &#8220;good ideas&#8221; that we should probably work on getting addressed going forward but that can&#8217;t be fixed immediately &#8211; but also don&#8217;t leave any immediate problem or danger in the code.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n\n<p>Security is not something that can be checked off as <em>done<\/em> once and for all nor can it ever be considered <em>complete<\/em>. It is a process that needs to blend in and affect everything we do when we develop software. Now and forever going forward.<\/p>\n\n\n\n<p>This team of security professionals spent more time and effort in this security auditing and poking on curl with fuzzers than probably anyone else has ever done before. Personally, I am thrilled that they only managed to uncovered two actual security problems. I think this shows that a lot of curl code has been written the right way.  The CVEs they found were not even that terrible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lessons<\/h2>\n\n\n\n<p>Twenty something issues were detected, and while the report includes advice from the auditors on how we should improve things going forward, they are of the kind we all already know we should do and paths we should follow. I could not really find any real lessons as in obvious things or patterns we should stop or new paradigms och styles to adapt.<\/p>\n\n\n\n<p>I think we learned or more correctly we got these things reconfirmed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li> we seem to be doing things mostly correct<\/li>\n\n\n\n<li>we can and should do more and better fuzzing<\/li>\n\n\n\n<li>adding more tests to increase coverage is good<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Security is hard<\/h2>\n\n\n\n<p>To show how hard security can be, we received no less than <em>three<\/em> additional security reports to the project during the actual life-time when this audit was being done. Those additional security reports of course came from other people and identified security problems this team of experts did not find.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">My comments on the reports<\/h2>\n\n\n\n<p>The term <em>Unresolved<\/em> is used for a few issues in the report and I have a minor qualm with the use of that particular word in this context for all cases. While it is correct that we in several cases did not act on the advice in the report, we saw some cases where we distinctly disagree with the recommendations and some issues that mentioned things we might work on and address in the future. They are all just marked as <em>unresolved<\/em> in the reports, but they are not all unresolved to us in the curl project.<\/p>\n\n\n\n<p>In particular I am not overly pleased with how the issue called TOB-CURLTM-6 is labeled <em>severity high<\/em> and <em>status unresolved<\/em> as I believe this wrongly gives the impression that curl has issues with high severity left unresolved in the code.<\/p>\n\n\n\n<p>If you want to read the specific responses for each and every reported issue from the curl project, they are stored in this <a href=\"https:\/\/gist.github.com\/bagder\/6be7df7ea5ce17ca7f6ab0981de12f13\">separate GitHub gist<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<h2 class=\"wp-block-heading\">The reports<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>You find the two reports linked to from the <a href=\"https:\/\/curl.se\/docs\/security.html\">curl security page<\/a>. A total of almost 100 pages in two PDF documents.<\/p>\n<\/div><\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>tldr: several hundred hours of dedicated scrutinizing of curl by a team of security experts resulted in two CVEs and a set of less serious remarks. The link to the reports is at the bottom of this article. Thanks to an OpenSSF grant, OSTIF helped us set up a curl security audit, which the excellent &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2022\/12\/21\/the-2022-curl-security-audit\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The 2022 curl security audit<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":12106,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,133],"tags":[513,33,428],"class_list":["post-19480","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","category-security","tag-audit","tag-curl-and-libcurl","tag-security"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/19480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=19480"}],"version-history":[{"count":125,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/19480\/revisions"}],"predecessor-version":[{"id":21197,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/19480\/revisions\/21197"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/12106"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=19480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=19480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=19480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}