CVE-2021-22926 Overview
CVE-2021-22926 is a certificate validation bypass vulnerability affecting libcurl when built with macOS native TLS library Secure Transport. The vulnerability allows an attacker to trick applications into using a malicious file-based client certificate instead of the intended certificate specified by name, potentially causing improper TLS authentication and connection failures.
Applications using libcurl can request a specific client certificate via the CURLOPT_SSLCERT option (or --cert command line flag). When libcurl is compiled to use macOS Secure Transport, it accepts certificate specifications either by name or by file path using the same option. If a file exists with the same name as the requested certificate, libcurl will prioritize the file-based certificate over the named certificate. An attacker with write access to the application's current working directory (such as /tmp) can plant a malicious certificate file, causing the application to send an incorrect client certificate during TLS handshakes.
Critical Impact
Attackers can manipulate TLS client certificate selection, potentially causing authentication failures, denial of service, or connection to unintended servers when applications run from world-writable directories.
Affected Products
- Haxx curl (versions using macOS Secure Transport)
- NetApp Active IQ Unified Manager
- NetApp Clustered Data ONTAP
- NetApp HCI Management Node
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
- NetApp SnapCenter
- NetApp SolidFire
- Oracle MySQL Server
- Oracle PeopleSoft Enterprise PeopleTools (versions 8.57, 8.58, 8.59)
- Siemens SINEC Infrastructure Network Services
- Splunk Universal Forwarder
- NetApp H-Series Hardware (H300S, H300E, H500E, H500S, H700S, H700E, H410S)
Discovery Timeline
- 2021-08-05 - CVE-2021-22926 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22926
Vulnerability Analysis
This vulnerability stems from ambiguous certificate identification in libcurl's macOS Secure Transport implementation. When an application specifies a client certificate using CURLOPT_SSLCERT, libcurl must determine whether the provided value represents a certificate name (to be looked up in the macOS Keychain) or a file path. The problematic behavior occurs because libcurl checks for file existence before attempting a name-based lookup.
If an attacker can create a file in the application's current working directory with the same name as the expected certificate, libcurl will load and use the attacker-controlled file certificate instead of the legitimate named certificate from the Keychain. This is particularly dangerous when applications operate from world-writable directories like /tmp, where any local user can create files.
The exploitation scenario requires the attacker to have local write access to a directory where the target application executes curl operations. While this limits the attack surface to local privilege escalation scenarios, multi-user systems and containerized environments may be particularly vulnerable.
Root Cause
The root cause is improper certificate validation logic (CWE-295) combined with business logic errors (CWE-840) in how libcurl resolves certificate specifications. The library fails to clearly distinguish between name-based and file-based certificate references, creating an ambiguity that attackers can exploit. The file existence check takes precedence over Keychain lookups, allowing file-based certificate injection when an attacker can predict the certificate name used by a target application.
Attack Vector
The attack requires local access to the system running the vulnerable application. An attacker must:
- Identify an application using libcurl with Secure Transport that specifies client certificates by name
- Determine the certificate name being requested by the application
- Gain write access to a directory where the target application executes (commonly /tmp or other shared directories)
- Create a malicious certificate file with the same name as the expected certificate
- Wait for the application to initiate a TLS connection requiring client authentication
The exploitation mechanism leverages the file-over-name resolution priority:
When libcurl processes the CURLOPT_SSLCERT option on macOS Secure Transport builds, it first checks whether a file with the specified name exists in the current working directory. If found, the file is loaded as a certificate regardless of whether the application developer intended to reference a Keychain-stored certificate. This creates a Time-of-Check Time-of-Use (TOCTOU) race condition where the certificate resolution can be manipulated between application configuration and actual TLS connection establishment.
Detection Methods for CVE-2021-22926
Indicators of Compromise
- Unexpected certificate files appearing in application working directories, particularly /tmp
- TLS handshake failures in applications that previously worked correctly
- Log entries indicating certificate mismatch or authentication failures during client certificate authentication
- Suspicious file creation activity in directories used by curl-based applications
Detection Strategies
- Monitor file creation events in world-writable directories, particularly for files with certificate-like names or extensions
- Implement application-level logging of certificate selection to detect when file-based certificates are loaded unexpectedly
- Use file integrity monitoring on directories where applications execute curl operations
- Audit applications running from /tmp or other shared directories that use client certificate authentication
Monitoring Recommendations
- Deploy endpoint detection rules to alert on suspicious file operations in directories like /tmp from non-administrative users
- Configure SentinelOne to monitor for anomalous TLS connection patterns that may indicate certificate substitution attacks
- Implement centralized logging for TLS authentication events across systems using affected libcurl versions
- Review application configurations to identify those using CURLOPT_SSLCERT with Secure Transport on macOS
How to Mitigate CVE-2021-22926
Immediate Actions Required
- Update curl and libcurl to the latest patched version addressing CVE-2021-22926
- Audit applications to identify those running from world-writable directories with client certificate requirements
- Configure applications to run from directories with restricted write permissions
- Review and apply vendor patches from Oracle, NetApp, Siemens, and Splunk for affected products
Patch Information
Multiple vendors have released security advisories and patches addressing this vulnerability:
- Oracle Security Alert October 2021 - Addresses MySQL Server and PeopleSoft Enterprise PeopleTools
- Oracle Security Alert January 2022 - Additional Oracle product updates
- NetApp Security Advisory NTAP-20210902-0003 - NetApp product updates
- Siemens Security Advisory SSA-389290 - SINEC Infrastructure Network Services patch
- Gentoo GLSA 202212-01 - Gentoo Linux package updates
Organizations should prioritize updating curl/libcurl libraries across all affected systems and dependencies.
Workarounds
- Avoid running applications that use libcurl client certificates from world-writable directories
- Use absolute file paths for certificate specifications rather than certificate names when possible
- Implement strict directory permissions to prevent unauthorized file creation in application working directories
- Consider using alternative TLS backends for libcurl where client certificate confusion is not possible
- Set restrictive umask values and directory permissions for applications requiring client certificate authentication
# Restrict application working directory permissions
chmod 755 /path/to/app/workdir
chown root:root /path/to/app/workdir
# Verify curl version and TLS backend
curl --version | grep -i "ssl\|tls"
# Check for affected libcurl configuration
ldd $(which curl) | grep -i ssl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
