Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / SSL CBC IV vulnerability
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Vulnerability Disclosure
Vulnerabilities Table

CVE-2011-3389

SSL CBC IV vulnerability

Project curl Security Advisory, January 24th 2012 Permalink

VULNERABILITY

curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer.

This vulnerability has been identified (CVE-2011-3389 aka the "BEAST" attack) and is addressed by OpenSSL already as they have made a work-around to mitigate the problem. When doing so, they figured out that some servers did not work with the work-around and offered a way to disable it.

The bit used to disable the workaround was then added to the generic SSL_OP_ALL bitmask that SSL clients may use to enable workarounds for better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask.

While SSL_OP_ALL is documented to enable "rather harmless" workarounds, it does in this case effectively enable this security vulnerability again.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-3389 to this issue.

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Severity: High

AFFECTED VERSIONS

Only curl and libcurl builds that use OpenSSL are affected.

SOLUTION

libcurl 7.24.0 never sets the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to curl and libcurl 7.24.0

B - Apply the patch and rebuild libcurl

C - Rebuild curl with another SSL library

D - Change the option within your application by using the CURLOPT_SSL_CTX_FUNCTION callback

TIMELINE

product-security at Apple reported this problem to us on January 19th 2012.

We discussed solutions and a first patch was written on the same day.

curl 7.24.0 was released on January 24th 2012, coordinated with the publication of this this flaw.

CREDITS

Thanks a lot!