[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL
From: Daniel Stenberg <daniel () haxx ! se>
Date: 2024-03-27 6:58:05
Message-ID: q229r8q-3r7n-q7nr-6857-12s56291op31 () unkk ! fr
[Download RAW message or body]
QUIC certificate check bypass with wolfSSL
==========================================
Project curl Security Advisory, March 27 2024 -
[Permalink](https://curl.se/docs/CVE-2024-2379.html)
VULNERABILITY
-------------
libcurl skips the certificate verification for a QUIC connection under certain
conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or
curve, the error path accidentally skips the verification and returns OK, thus
ignoring any certificate problems.
INFO
----
To trigger, this issue also requires that the used wolfSSL library was built
with the `OPENSSL_COMPATIBLE_DEFAULTS` symbol set, which is **not** set for
the recommended `configure --enable-curl` builds.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2024-2379 to this issue.
CWE-295: Improper Certificate Validation
Severity: Low
AFFECTED VERSIONS
-----------------
- Affected versions: curl 8.6.0 to and including 8.6.0
- Not affected versions: curl < 8.6.0 and >= 8.7.0
- Introduced-in: https://github.com/curl/curl/commit/5d044ad9480a9f556f4b6a2
libcurl is used by many applications, but not always advertised as such!
This flaw is also accessible using the curl command line tool.
SOLUTION
------------
Starting in curl 8.7.0, this mistake is fixed.
- Fixed-in: https://github.com/curl/curl/commit/aedbbdf18e689a5eee8dc396
RECOMMENDATIONS
--------------
A - Upgrade curl to version 8.7.0
B - Apply the patch to your local version
C - Avoid using HTTP/3 with curl built to use wolfSSL
TIMELINE
--------
This issue was reported to the curl project on March 10, 2024. We contacted
distros@openwall on March 19, 2024.
curl 8.7.0 was released on March 27 2024 around 07:00 UTC, coordinated with
the publication of this advisory.
The curl security team is not aware of any active exploits using this
vulnerability.
CREDITS
-------
- Reported-by: Dexter Gerig
- Patched-by: Daniel Stenberg
Thanks a lot!
--
/ daniel.haxx.se
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic