oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[SECURITY ADVISORY] curl: Incorrect reuse of client certificates

From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 7 Sep 2016 13:39:36 +0200 (CEST)
Incorrect reuse of client certificates ====================================== 

Project cURL Security Advisory, September 7th 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20160907.html)

VULNERABILITY
-------------

libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.

While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.

We are not aware of any exploit of this flaw.

INFO
----

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-7141 to this issue.

AFFECTED VERSIONS
-----------------

This flaw is present in curl and libcurl only if they are built with the
support for NSS and only if the libnsspem.so library is available at run-time.

- Affected versions: libcurl 7.19.6 to and including 7.50.1
- Not affected versions: libcurl >= 7.50.2

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A fix for this flaw is included in libcurl 7.50.2 via
[commit `curl-7_50_2~32`](https://github.com/curl/curl/commit/curl-7_50_2~32).
For older releases of libcurl there is a
[patch for CVE-2016-7141](https://curl.haxx.se/CVE-2016-7141.patch).

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Apply the patch on the source code of libcurl and rebuild.

 B - Configure libcurl to use a different TLS backend and rebuild.

 C - Use certificates from NSS database instead of loading them from files.

TIME LINE
---------

This flaw was reported by Red Hat on August 22nd.  The patch fixing the flaw
was published on September 5th.  CVE-2016-7141 was assigned to this flaw on
September 6th.  This advisory was published on September 7th.

CREDITS
-------

Reported by Red Hat.  Security advisory coordinated by Daniel Stenberg.

Thanks a lot!

--

 / daniel.haxx.se
Previous By Date Next
Previous By Thread Next

Current thread: