CVE-2016-3739
TLS certificate check bypass with mbedTLS/PolarSSL
Project curl Security Advisory, May 18th 2016 - Permalink
VULNERABILITY
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3.
This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend.
The documentation for mbedTLS and PolarSSL (wrongly) says that the
API function ssl_set_hostname()
is used only for setting
the name for the TLS extension SNI. The set string is however even more
importantly used by the libraries to verify the server certificate, and
if no "hostname" is set it just skips the check and successfully
continue with the handshake.
libcurl would wrongly avoid using the function when the specified hostname was given as an IP address or when SSLv3 is used, as SNI is not supposed to be used then. This then leads to that all uses of TLS oriented protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc) allows connections to servers with unverified server certificates as long as they are specified as IP addresses or using SSLv3.
By tricking a libcurl-using client to use a URL with a host specified as IP address only, an application could be made to connect to an impostor server or Man In The Middle host without noticing.
Note: PolarSSL is the old name and releases of the library that nowadays is known and released under the name mbedTLS.
INFO
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-3739 to this issue.
CWE-297: Improper Validation of Certificate with Host Mismatch
Severity: High
AFFECTED VERSIONS
This flaw is relevant for all versions of curl and libcurl that support PolarSSL or mbedTLS.
- Affected versions: libcurl 7.21.0 to and including 7.48.0
- Not affected versions: libcurl < 7.21.0 and libcurl >= 7.49.0
- Introduced-in: https://github.com/curl/curl/commit/51427e1947ddc07b4ce8ad9
libcurl is used by many applications, but not always advertised as such!
SOLUTION
In version 7.49.0, libcurl properly sets the "hostname" even when it is just an IP address and even when using SSLv3 that does not have SNI.
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 7.49.0
B - Apply the patch to your version and rebuild
C - Build your libcurl with another TLS backend to work around this flaw.
TIMELINE
It was first reported to the curl project on April 21st 2016. We contacted distros@openwall on May 8th.
libcurl 7.49.0 was released on May 18 2016, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Moti Avrahami
- Patched-by: Daniel Stenberg
Thanks a lot!