curl: multiple vulnerabilities (CVE-2014-0138 CVE-2014-0139)
CVE-2014-0138 (affected versions: from libcurl 7.10.6 to and including
7.35.0):
libcurl can in some circumstances re-use the wrong connection when asked
to
do transfers using other protocols than HTTP and FTP.
libcurl features a pool of recent connections so that subsequent
requests
can re-use an existing connection to avoid overhead.
When re-using a connection a range of criterion must first be met. Due
to an
error in the code, a transfer that was initiated by an application
could
wrongfully re-use an existing connection to the same server that was
authenticated using different credentials. The existing logic basically
only
worked well enough for HTTP and FTP, while all other network protocols
were
silently, but erroneously, assumed to work like HTTP. Basically,
protocols
that use connection oriented authentication need a new connection when
new
credentials are used.
Affected protocols include: SCP, SFTP, POP3(S), IMAP (S), SMTP (S) and
LDAP (S).
Applications can disable libcurl’s re-use of connections and thus
mitigate
this problem, by using one of the following libcurl options to alter
how
connections are or aren’t re-used: CURLOPT_FRESH_CONNECT,
CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using
curl_multi
API).
(This problem is very similar to a problem previously reported to NTLM
HTTP
connections, named CVE-2014-0015)
THE SOLUTION
libcurl 7.36.0 makes sure that connections are re-used more strictly.
A patch for this problem is available at:
http://curl.haxx.se/libcurl-bad-reuse.patch
Source: http://curl.haxx.se/docs/adv\_20140326A.html
CVE-2014-0139 (affected versions: from libcurl 7.1 to and including
7.35.0):
libcurl incorrectly validates wildcard SSL certificates containing
literal
IP addresses.
RFC 2818 covers the requirements for matching Common Names (CNs) and
subjectAltNames in order to establish valid SSL connections. It first
discusses CNs that are for hostnames, and the rules for wildcards in
this
case. The next paragraph in the RFC then discusses CNs that are IP
addresses:
‘In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present in
the
certificate and must exactly match the IP in the URI.’
The intention of the RFC is clear in that you should not be able to
use
wildcards with IP addresses (in order to avoid the ability to perform
man-in-the-middle attacks). Unfortunately libcurl fails to adhere to
this
rule under certain conditions, and subsequently it would allow and use
a
wildcard match specified in the CN field.
Exploiting this flaw, a malicious server could participate in a MITM
attack
or just easier fool users that it is a legitimate site for whatever
purpose,
when it actually isn’t.
A good CA should refuse to issue a certificate with the CN as
indicated,
however there only need be one CA to issue one in error for this issue
to
result in the user getting no warning at all and being vulnerable to
MITM.
This flaw is only present in libcurl when built to use one out of a
few
specific TLS libraries: OpenSSL, axtls, qsossl or gskit.
This problem is similar to the one previously reported by Richard
Moore,
found in multiple browsers [1].
THE SOLUTION
libcurl 7.36.0 has an improved host name verification function that
rejects
wild card matching against IP addresses.
A patch for this problem is available at:
http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch
Source: http://curl.haxx.se/docs/adv\_20140326B.html
(from redmine: issue id 2816, created on 2014-04-03, closed on 2014-04-21)
- Relations:
- child #2817 (closed)
- child #2818 (closed)
- child #2819 (closed)
- child #2820 (closed)
- Changesets:
- Revision d218307c by Timo Teräs on 2014-04-17T09:34:31Z:
main/curl: security upgrade to 7.36.0 (CVE-2014-0138 CVE-2014-0139)
groff is now needed to build built-in manual. ref #2816
- Revision 048866ca by Timo Teräs on 2014-04-17T14:15:34Z:
main/curl: security upgrade to 7.36.0 (CVE-2014-0138 CVE-2014-0139)
groff is now needed to build built-in manual. ref #2816
(cherry picked from commit d218307c3f5ca3bb714075368f71f8c7332371cb)
Conflicts:
main/curl/APKBUILD
- Revision d22f5692 by Timo Teräs on 2014-04-18T11:51:05Z:
main/curl: security upgrade to 7.36.0 (CVE-2014-0138 CVE-2014-0139)
groff is now needed to build built-in manual. ref #2816
(cherry picked from commit d218307c3f5ca3bb714075368f71f8c7332371cb)
Conflicts:
main/curl/APKBUILD
- Revision 79b58711 by Timo Teräs on 2014-04-18T11:54:59Z:
main/curl: security upgrade to 7.36.0 (CVE-2014-0138 CVE-2014-0139)
groff is now needed to build built-in manual. ref #2816
fixes #2818
(cherry picked from commit d218307c3f5ca3bb714075368f71f8c7332371cb)
Conflicts:
main/curl/APKBUILD