curl: CVE-2022-27775: Bad local IPv6 connection reuse

Summary:

Curl doesn’t consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address (and other conditions for connection reuse are fulfilled) it will be reused for connections regardless of the zone index.

Steps To Reproduce:

1.Set up a fake server: echo -ne 'HTTP/1.1 200 OK\r\nContent-Length: 6\r\n\r\nHello\n' | nc -6 -v -l -p 9999
2. curl “http://[ipv6addr]:9999/x” “http://[ipv6addr%25lo]:9999/y”

Both connections arrive to the test server:

Listening on :: 9999
Connection received on somehost someport
GET /x HTTP/1.1
Host: [ipv6addr]:9999
User-Agent: curl/7.83.0-DEV
Accept: */*

GET /y HTTP/1.1
Host: [ipv6addr]:9999
User-Agent: curl/7.83.0-DEV
Accept: */*

Clearly the 2nd connection should fail as the address is not available at interface lo. (Lone connection to http://[ipv6addr%25lo]:9999/ fails with curl: (7) Couldn't connect to server)

Impact

Reuse of wrong connection leading to potential disclosure of confidential information.

Practical impact of this vulnerability is very low, due to the rarity of situation where interfaces would have identical addresses. The attacker would also need to be able to manipulate the addresses the victim app connects to (making it first connect to interface controlled by the attacker).Finally, it doesn’t seem likely that TLS would be used for such connections, making the scenario rather insecure to begin with.It seems likely that if the attacker has ability to set up interfaces with identical addresses they would have easier way to compromise the system anyway.