CVE-2021-22946 Overview
CVE-2021-22946 is a TLS bypass vulnerability affecting curl versions 7.20.0 through 7.78.0. When users configure curl to require TLS encryption for IMAP, POP3, or FTP connections using the --ssl-reqd command line option or the CURLOPT_USE_SSL libcurl option set to CURLUSESSL_CONTROL or CURLUSESSL_ALL, a malicious server can craft a legitimate-appearing response that bypasses the TLS upgrade requirement. This causes curl to silently continue operations without TLS encryption, potentially exposing sensitive data in clear text over the network.
Critical Impact
This vulnerability allows attackers to bypass mandatory TLS encryption, enabling network traffic interception and exposure of sensitive credentials, emails, and data transmitted via IMAP, POP3, or FTP protocols.
Affected Products
- Haxx curl (versions 7.20.0 through 7.78.0)
- Debian Linux (versions 9.0, 10.0, 11.0)
- Fedora (versions 33, 35)
- NetApp Cloud Backup, Clustered Data ONTAP, OnCommand Insight, OnCommand Workflow Automation, SnapCenter
- NetApp H-Series firmware and hardware (H300S, H500S, H700S, H300E, H500E, H700E, H410S)
- Oracle MySQL Server, PeopleSoft Enterprise PeopleTools, Communications Cloud Native Core products
- Apple macOS
- Siemens SINEC Infrastructure Network Services
- Splunk Universal Forwarder
Discovery Timeline
- 2021-09-29 - CVE-2021-22946 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22946
Vulnerability Analysis
This vulnerability exists in curl's STARTTLS negotiation logic for mail and file transfer protocols. When a user explicitly requests TLS encryption via --ssl-reqd or the equivalent libcurl options, curl initiates a STARTTLS handshake with the server. The flaw lies in how curl processes the server's response to this upgrade request.
A malicious or compromised server can return a carefully crafted response that appears legitimate but causes curl to skip the TLS upgrade process entirely. Despite the user's explicit requirement for encrypted communications, curl proceeds with the connection in plain text without generating any error or warning. This silent failure mode is particularly dangerous because users have no indication that their security expectations are not being met.
The impact is significant for confidentiality: any data transmitted after the failed TLS upgrade—including authentication credentials, email content, or transferred files—is sent in clear text and can be intercepted by network-based attackers through man-in-the-middle positioning.
Root Cause
The root cause is improper validation of server responses during the STARTTLS negotiation phase (CWE-325: Missing Required Cryptographic Step, CWE-319: Cleartext Transmission of Sensitive Information). The curl library fails to properly enforce the TLS requirement when the server provides a response that, while technically valid according to the protocol, does not actually establish encrypted communications. The logic error allows the connection to proceed without verifying that TLS encryption has been successfully negotiated.
Attack Vector
The attack requires network positioning to act as or compromise a mail or FTP server that the victim's curl client connects to. The attack flow proceeds as follows:
- An attacker controls or compromises a server that the victim connects to via IMAP, POP3, or FTP
- The victim initiates a connection with --ssl-reqd or equivalent libcurl option enabled
- When curl sends the STARTTLS command, the malicious server responds with a crafted legitimate response
- curl incorrectly interprets the response as successful and proceeds without TLS
- All subsequent communication occurs in clear text, allowing the attacker to capture sensitive data
This attack is particularly effective in scenarios where users connect to mail servers over untrusted networks, as the attacker can intercept email credentials and message contents.
Detection Methods for CVE-2021-22946
Indicators of Compromise
- Unencrypted IMAP (port 143), POP3 (port 110), or FTP (port 21) traffic where TLS was expected
- Network traffic analysis showing STARTTLS commands followed by plain text data transmission
- Curl error logs or verbose output showing unexpected connection states
- Authentication failures or credential theft incidents following network-based attacks
Detection Strategies
- Monitor network traffic for IMAP, POP3, and FTP connections that begin with STARTTLS negotiation but continue with unencrypted data
- Implement deep packet inspection to detect the anomalous server responses that trigger this bypass
- Review system inventories for curl versions between 7.20.0 and 7.78.0 across all systems
- Audit application configurations using libcurl with CURLOPT_USE_SSL settings
Monitoring Recommendations
- Enable verbose logging in curl deployments to capture TLS negotiation details
- Deploy network monitoring to detect unexpected clear text mail or FTP traffic on internal networks
- Configure alerts for curl version detection during software asset scans
- Monitor for credential compromise attempts that may indicate previous exploitation
How to Mitigate CVE-2021-22946
Immediate Actions Required
- Upgrade curl to version 7.79.0 or later immediately across all affected systems
- Audit all applications and scripts using libcurl for vulnerable versions
- Review network configurations to identify systems using IMAP, POP3, or FTP with curl
- Consider rotating credentials that may have been transmitted over affected connections
Patch Information
The vulnerability was fixed in curl version 7.79.0. Multiple vendors have released patches for their products incorporating the fixed curl version. Organizations should consult the following security advisories for vendor-specific patch information:
- Oracle Security Alert CPU October 2021
- Oracle Security Alert CPU January 2022
- Oracle Security Alert CPU April 2022
- Oracle Security Alert CPU July 2022
- Siemens Security Advisory SSA-389290
- NetApp Advisory NTAP-20211029-0003
- Apple Support Article HT213183
- Debian Security Advisory DSA-5197
Workarounds
- If upgrading is not immediately possible, avoid using curl for IMAP, POP3, or FTP connections over untrusted networks
- Use alternative transport mechanisms with explicit TLS port connections (IMAPS port 993, POP3S port 995, FTPS port 990) rather than STARTTLS
- Implement network-level encryption (VPN) as an additional layer when curl must be used with vulnerable versions
- Monitor network traffic for connections to mail and FTP services to detect potential exploitation attempts
# Check installed curl version
curl --version
# Upgrade curl on Debian/Ubuntu
sudo apt update && sudo apt install curl
# Upgrade curl on RHEL/CentOS/Fedora
sudo dnf update curl
# Verify TLS is working after upgrade (verbose output)
curl -v --ssl-reqd imaps://mail.example.com/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
