CVE-2021-22922 Overview
CVE-2021-22922 is a vulnerability in curl's metalink download feature that fails to properly handle hash verification failures. When curl downloads content using metalink, it verifies the downloaded contents against a hash provided in the metalink XML file. If one of the servers hosting the content has been compromised and the file has been replaced with a modified payload, curl should detect this when the hash mismatches after download completion, remove the malicious content, and attempt to retrieve the file from an alternate URL. However, this is not implemented correctly—hash mismatches are only reported as text warnings while the potentially malicious content remains on disk.
Critical Impact
Attackers who compromise a metalink mirror server can deliver malicious payloads to curl users, as hash verification failures do not prevent the compromised file from being retained on the target system.
Affected Products
- Haxx curl (versions with metalink support)
- Fedora 33
- NetApp Cloud Backup
- NetApp Clustered Data ONTAP
- NetApp HCI Management Node
- NetApp SolidFire
- Oracle MySQL Server
- Siemens SINEC Infrastructure Network Services
- Splunk Universal Forwarder
- NetApp H-Series Hardware (H300S, H500S, H700S, H300E, H500E, H700E, H410S)
Discovery Timeline
- August 5, 2021 - CVE-2021-22922 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-22922
Vulnerability Analysis
This vulnerability affects curl's metalink functionality, which enables downloading the same content from multiple mirror servers for redundancy and improved reliability. The metalink XML file contains URLs pointing to various mirror servers along with cryptographic hashes to verify file integrity. This design should provide protection against compromised mirrors by validating downloaded content against expected hash values.
The flaw lies in curl's improper exception handling when a hash verification failure occurs. Rather than treating a hash mismatch as a security event requiring remediation (removing the downloaded file and retrying from another source), curl merely outputs a warning message while leaving the potentially malicious file intact on the filesystem. This behavior directly contradicts the security guarantees that metalink hash verification is supposed to provide.
Root Cause
The root cause stems from improper handling of exceptional conditions (CWE-755) in curl's metalink processing logic. When the computed hash of a downloaded file does not match the expected hash from the metalink XML, the error handling code path fails to delete the compromised file or trigger fallback retrieval from alternative mirror URLs. The application treats a critical security verification failure as a non-fatal warning rather than an error requiring corrective action.
Attack Vector
An attacker who has compromised one of the mirror servers specified in a metalink XML file can exploit this vulnerability by:
- Replacing legitimate files on the compromised server with malicious payloads
- When a user's curl client attempts to download using metalink and selects the compromised mirror, the malicious file is downloaded
- Curl calculates the hash and detects the mismatch with the expected value
- Despite the verification failure, curl leaves the malicious file on the user's disk
- The user may unknowingly execute or use the malicious content, believing it passed integrity verification
The attack requires network access and user interaction (the victim must initiate a metalink download that includes the compromised server). The vulnerability enables integrity compromise without confidentiality or availability impact.
Detection Methods for CVE-2021-22922
Indicators of Compromise
- Curl warning messages in logs indicating metalink hash verification failures
- Downloaded files with unexpected checksums despite curl metalink verification being enabled
- Evidence of curl metalink operations followed by execution of files that fail manual hash verification
- Network connections to known compromised mirror servers during metalink download operations
Detection Strategies
- Monitor curl process output and logs for metalink hash mismatch warnings
- Implement file integrity monitoring to detect files that differ from expected checksums after metalink downloads
- Review system logs for patterns indicating metalink download operations followed by immediate file execution
- Deploy endpoint detection to correlate curl metalink usage with subsequent suspicious file activity
Monitoring Recommendations
- Enable verbose logging for curl operations in automated scripts and deployment pipelines
- Implement secondary hash verification for files downloaded via metalink before any execution or processing
- Configure SIEM rules to alert on curl metalink hash verification failure messages
- Monitor network traffic for metalink XML file retrieval followed by downloads from multiple mirror sources
How to Mitigate CVE-2021-22922
Immediate Actions Required
- Update curl to a patched version that properly handles metalink hash verification failures
- Disable metalink functionality if not required by adding configuration to prevent metalink URL processing
- Implement manual hash verification as a secondary check for all metalink downloads
- Review any files previously downloaded via metalink for integrity concerns
Patch Information
Security patches addressing this vulnerability have been released by multiple vendors. Refer to the following advisories for version-specific guidance:
- Siemens Security Advisory SSA-389290 for SINEC Infrastructure Network Services
- Oracle Security Alert October 2021 for MySQL Server
- NetApp Advisory NTAP-20210902-0003 for NetApp products
- Gentoo GLSA 202212-01 for Gentoo Linux users
- Fedora Package Announcement for Fedora users
Workarounds
- Disable metalink support in curl by avoiding the --metalink option in command-line usage
- Configure curl to use direct URLs instead of metalink files when possible
- Implement wrapper scripts that perform independent hash verification after curl metalink downloads
- Use alternative download tools that properly handle hash verification failures when metalink security is critical
# Configuration example
# Verify file integrity manually after metalink download
# This serves as a secondary check until curl is patched
# After downloading via metalink, verify the hash independently
sha256sum downloaded_file.tar.gz
# Compare output against expected hash from a trusted source
# Alternatively, avoid metalink entirely by using direct URLs
curl -O https://trusted-server.example.com/file.tar.gz
sha256sum file.tar.gz
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
