Summary:

Curl fails to consider some security related options when reusing TLS connections. For example:

TLS

CURLOPT_SSL_OPTIONS
CURLOPT_PROXY_SSL_OPTIONS
CURLOPT_CRLFILE
CURLOPT_PROXY_CRLFILE
CURLOPT_TLSAUTH_TYPE
CURLOPT_TLSAUTH_USERNAME
CURLOPT_TLSAUTH_PASSWORD
CURLOPT_PROXY_TLSAUTH_TYPE
CURLOPT_PROXY_TLSAUTH_USERNAME
CURLOPT_PROXY_TLSAUTH_PASSWORD

As a result for example TLS connection with lower security (CURLSSLOPT_ALLOW_BEAST, CURLSSLOPT_NO_REVOKE) connection reused when it should no longer be. Also connection that has been authenticated perviously with CURLSSLOPT_AUTO_CLIENT_CERT might be reused for connections that should not be.

SSH

CURLOPT_SSH_PUBLIC_KEYFILE
CURLOPT_SSH_PRIVATE_KEYFILE

If the attacker knows the vulnerable application used SSH key authentication towards specific host with certain username and protocol they can then perform actions to the same host afterwards and abuse the connection reuse.

Impact

• Wrong identity (client certificate) or TLS security options being used for subsequent connections to the same hosts.
• Previously authenticated SSH sessions (SCP/SFTP) reuse.