Incorrect reuse of client certificates
Project curl Security Advisory, September 7th 2016 - Permalink
libcurl built on top of NSS (Network Security Services) incorrectly re-used client certificates if a certificate from file was used for one TLS connection but no certificate set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong client cert), this vulnerability was caused by an implementation detail of the NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-7141 to this issue.
CWE-305: Authentication Bypass by Primary Weakness
This flaw is present in curl and libcurl only if they are built with the support for NSS and only if the libnsspem.so library is available at run-time.
- Affected versions: libcurl 7.19.6 to and including 7.50.1
- Not affected versions: libcurl < 7.19.6 and libcurl >= 7.50.2
libcurl is used by many applications, but not always advertised as such!
We suggest you take one of the following actions immediately, in order of preference:
A - Apply the patch on the source code of libcurl and rebuild.
B - Configure libcurl to use a different TLS backend and rebuild.
C - Use certificates from NSS database instead of loading them from files.
This flaw was reported by Red Hat on August 22. The patch fixing the flaw was published on September 5th. CVE-2016-7141 was assigned to this flaw on September 6th. This advisory was published on September 7th.
- Reported-by: Red Hat
- Patched-by: Kamil Dudka
Thanks a lot!