Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / IDN wildcard match
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 480 USD

CVE-2023-28321

IDN wildcard match

Project curl Security Advisory, May 17th 2023 - Permalink

VULNERABILITY

curl supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch.

IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

INFO

curl's wildcard matching function is used only when curl was built to use OpenSSL, Schannel or Gskit. All other backends use the matching functions of the corresponding TLS library and are thus not vulnerable to this flaw.

This flaw is lessened somewhat by two factors:

curl does not need to be built with IDN support to be vulnerable, as a user can pass in a puny coded version of the hostname directly in the URL and can then trigger this flaw.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-28321 to this issue.

CWE-295: Improper Certificate Validation

Severity: Low

AFFECTED VERSIONS

This bug was introduced in curl when IDN support was first introduced, in curl 7.12.0 - June 2004. The wildcard function was subsequently updated for this case in 2012 (the IDN problem is mentioned in RFC 6125 in a far from obvious way) but was done wrongly, so the flaw remained.

libcurl is used by many applications, but not always advertised as such!

SOLUTION

curl 8.1.0 completely removes the support for "partial" matches and now only supports *.. No a*, a*b or *b matches. For all hostnames, IDN or not.

RECOMMENDATIONS

A - Upgrade curl to version 8.1.0

B - Apply the patch to your local version

TIMELINE

This issue was reported to the curl project on April 17 2023. We contacted distros@openwall on May 9, 2023.

curl 8.1.0 was released on May 17 2023, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!