CVE-2007-3564
GnuTLS insufficient cert verification
Project curl Security Advisory, July 10th 2007 Permalink
VULNERABILITY
libcurl (when built to use GnuTLS) fails to verify that a peer's certificate has not already expired or has not yet become valid. This allows malicious servers to present certificates to libcurl that were not rejected properly.
Notably, the CA certificate and common name checks are still in place which reduces the risk for random servers to take advantage of this flaw.
INFO
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3564 to this issue.
CWE-298: Improper Validation of Certificate Expiration
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl and libcurl 7.14.0 to and including 7.16.3
- Not affected versions: curl and libcurl < 7.13.2 and curl >= 7.16.4
Note that libcurl needs to be built to use GnuTLS for this flaw to be in effect.
Also note that (lib)curl is used by many applications, and not always advertised as such.
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to curl and libcurl 7.16.4
B - Apply the patch to your libcurl version
C - Build curl with SSL provided by another library, like OpenSSL or NSS
D - Build curl with SSL disabled
TIMELINE
We were notified on June 27 2007. The notification email contained a valid patch.
We agreed on and coordinated the synchronous disclosure of this problem together with the curl 7.16.4 release.
curl 7.16.4 was released on July 10 2007, just before this flaw was publicly disclosed.
CREDITS
- Reported-by: Kees Cook
- Patched-by: Daniel Stenberg
Thanks a lot!