CVE-2021-22924 Overview
CVE-2021-22924 is a certificate validation bypass vulnerability in libcurl's connection pooling mechanism. The vulnerability exists because libcurl's config matching function improperly handles certificate issuer path comparisons when determining whether a cached connection can be reused for subsequent transfers. Due to errors in the logic, the matching function did not take the 'issuercert' option into account and performed case-insensitive path comparisons, which could lead to libcurl reusing connections with incorrect security contexts.
Critical Impact
This vulnerability could allow an attacker to cause libcurl to reuse connections that were validated against different certificate issuers, potentially enabling man-in-the-middle attacks or connections to unintended servers.
Affected Products
- Haxx libcurl (multiple versions)
- Oracle MySQL Server
- Oracle PeopleSoft Enterprise PeopleTools 8.57, 8.58, 8.59
- Siemens SINEC Infrastructure Network Services
- Siemens SINEMA Remote Connect Server
- Siemens SCALANCE industrial routers (M804PB, M812-1, M816-1, M826-2, M874-2, M874-3, M876-3, M876-4, MUM856-1, S615)
- Siemens SIMATIC CP 1543-1, CP 1545-1
- Siemens SIMATIC RTU series (RTU3010C, RTU3030C, RTU3031C, RTU 3041C)
- NetApp Cloud Backup, Clustered Data ONTAP
- Splunk Universal Forwarder
- Debian Linux 9.0, 10.0, 11.0
- Fedora 33
Discovery Timeline
- 2021-08-05 - CVE-2021-22924 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2021-22924
Vulnerability Analysis
The vulnerability resides in libcurl's connection pool management system, which maintains previously used connections for reuse in subsequent transfers. When a new request is made, libcurl checks if any existing pooled connection matches the required configuration to determine if it can be reused. This vulnerability is classified under CWE-20 (Improper Input Validation) and CWE-706 (Use of Incorrectly-Resolved Name or Reference).
The core issue stems from the config matching function's failure to properly validate the issuercert option when comparing connection configurations. Additionally, the function performs case-insensitive comparisons on file paths, which is problematic because file paths are case-sensitive on many systems (particularly Unix-like operating systems) and may even vary depending on the file system in use.
Root Cause
The root cause is a logic error in the connection matching algorithm that fails to include the certificate issuer (issuercert) in the comparison criteria. When libcurl attempts to reuse a pooled connection, it should verify that all security-relevant parameters match, including the certificate issuer path. The omission of this check means that a connection validated against one issuer certificate could be incorrectly reused for a transfer that specifies a different issuer certificate.
Furthermore, the case-insensitive path comparison creates additional security issues on case-sensitive file systems. For example, paths like /path/to/Issuer.crt and /path/to/issuer.crt would be considered equivalent by the matching function, even though they reference different files on Unix systems.
Attack Vector
This vulnerability can be exploited over the network when an application uses libcurl with connection pooling enabled (the default behavior). An attacker who can influence the order or timing of network requests, or who controls a server that the victim application connects to, may be able to cause the application to reuse a connection that was established with different security parameters.
The attack scenario requires specific conditions: the victim application must make multiple TLS connections using different issuercert configurations, and the attacker must be able to influence which connection gets reused. While exploitation is complex due to the high attack complexity required, successful exploitation could lead to information disclosure by causing the application to communicate over a connection that was validated against the wrong certificate issuer.
Detection Methods for CVE-2021-22924
Indicators of Compromise
- Unexpected TLS certificate validation behavior in applications using libcurl
- Log entries showing connection reuse with mismatched certificate issuer paths
- Applications establishing connections to unintended servers due to connection pool confusion
- Network traffic patterns showing reused connections where certificate parameters differ
Detection Strategies
- Monitor applications using libcurl for unexpected certificate validation warnings or errors
- Implement network monitoring to detect TLS connections that may be reusing sessions inappropriately
- Review application logs for evidence of connection pool anomalies
- Use vulnerability scanning tools to identify systems running affected libcurl versions
Monitoring Recommendations
- Enable verbose logging in libcurl-based applications to track connection pool behavior
- Deploy network intrusion detection systems (NIDS) rules to monitor for anomalous TLS session reuse patterns
- Implement asset inventory to track all systems using affected libcurl versions and downstream products
How to Mitigate CVE-2021-22924
Immediate Actions Required
- Update libcurl to the latest patched version available for your platform
- Review all applications and products that bundle or depend on libcurl for available security updates
- Consult vendor-specific security advisories from Siemens, Oracle, NetApp, and other affected vendors
- Temporarily disable connection pooling in libcurl if updates cannot be immediately applied (use CURLOPT_FRESH_CONNECT)
Patch Information
Multiple vendors have released security updates addressing this vulnerability. Refer to the following advisories for platform-specific guidance:
- Siemens Security Advisory SSA-389290
- Siemens Security Advisory SSA-484086
- Siemens Security Advisory SSA-732250
- Oracle CPU October 2021
- Oracle CPU January 2022
- NetApp Security Advisory NTAP-20210902-0003
- Debian Security Advisory DSA-5197
Workarounds
- Force fresh connections by setting CURLOPT_FRESH_CONNECT to disable connection reuse
- Ensure consistent case usage in certificate issuer paths across all libcurl-based requests
- Implement application-level validation of certificate issuers independent of libcurl's connection pooling
- Isolate applications using different certificate configurations to prevent connection pool sharing
# Configuration example - Force fresh connections in curl command line
curl --no-keepalive https://example.com
# In code, set CURLOPT_FRESH_CONNECT to 1L to disable connection reuse
# CURLOPT_FRESH_CONNECT = 1L
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
