Allele Security Alert
ASA-2019-00390
Identifier(s)
ASA-2019-00390, CVE-2019-5443
Title
Windows OpenSSL engine code injection
Vendor(s)
the Curl Project
Product(s)
curl
Affected version(s)
curl for windows before version 7.65.1_2
Fixed version(s)
curl for windows version 7.65.1_2
Proof of concept
Unknown
Description
A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl automatically run the code (as an openssl “engine”) on invocation. If that curl is invoked by a privileged user it can do anything it wants.
This flaw exists in the official curl-for-windows binaries built and hosted by the curl project (all versions up to and including 7.65.1_1). It does not exist in the curl executable shipped by Microsoft, bundled with Windows 10. It possibly exists in other curl builds for Windows too that uses OpenSSL.
Technical details
This bug sneaked in partly due to insecure default build options in OpenSSL when built cross-compiled and partly due to a misleading commit message in the curl commit that made it possible to disable this feature.
This bug does not exist in the curl or libcurl source code but in the scripts for the Windows build.
Credits
Rich Mirch
Reference(s)
Windows OpenSSL engine code injection
https://curl.haxx.se/docs/CVE-2019-5443.html
curl: Windows OpenSSL engine code injection
https://seclists.org/oss-sec/2019/q2/196
CVE-2019-5443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5443
CVE-2019-5443
https://nvd.nist.gov/vuln/detail/CVE-2019-5443
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 25, 2019