CVE-2024-8096
OCSP stapling bypass with GnuTLS
Project curl Security Advisory, September 11th 2024 - Permalink
VULNERABILITY
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine.
If the returned status reports another error than "revoked" (like for example "unauthorized") it is not treated as a bad certficate.
INFO
This issue only exists when curl is built to use the GnuTLS library. curl can be made to use a large variety of TLS libraries and GnuTLS is not the most common choice.
OCSP stapling is not a widely used feature on the open web, perhaps partly because so many big name sites do not support it.
This bug is not considered a C mistake (likely to have been avoided had we not been using C).
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-8096 to this issue.
CWE-295: Improper Certificate Validation
Severity: Medium
AFFECTED VERSIONS
The vulnerable code can only be reached when curl is built to use GnuTLS.
- Affected versions: curl 7.41.0 to and including 8.9.1
- Not affected versions: curl < 7.41.0 and >= 8.10.0
- Introduced-in: https://github.com/curl/curl/commit/f13669a375f
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.10.0
B - Apply the patch to your version and rebuild
C - Build your curl with an unaffected TLS backend
TIMELINE
This issue was reported to the curl project on August 19, 2024. We contacted distros@openwall on September 3, 2024.
curl 8.10.0 was released on September 11 2024 around 06:00 UTC, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Hiroki Kurosawa
- Patched-by: Daniel Stenberg
Thanks a lot!