cURL / Mailing Lists / curl-users / Single Mail

curl-users

curl SSL CBC IV vulnerability

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 24 Jan 2012 10:18:50 +0100 (CET)

curl SSL CBC IV vulnerability
=============================

Project cURL Security Advisory, January 24th 2012
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
for the SSL/TLS layer.

   This vulernability has been identified (CVE-2011-3389) and is addressed by
   OpenSSL already as they have made a work-around to mitigate the problem.
   When doing so, they figured out that some servers didn't work with the
   work-around and offered a way to disable it.

   The bit used to disable the workaround was then added to the generic
   SSL_OP_ALL bitmask that SSL clients may use to enable work-arounds for
   better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask.

While SSL_OP_ALL is documented to enable "rather harmless" work-arounds, it
does in this case effectively enable this security vulnerability again.

There is no known exploit for this problem.

2. AFFECTED VERSIONS

Only curl and libcurl builds that use OpenSSL are affected.

Affected versions: curl 7.10.6 to and including 7.23.1
Not affected versions: curl < 7.10.6 and >= 7.24.0

Also note that libcurl is used by many applications, and not always
advertised as such.

3. THE SOLUTION

libcurl 7.24.0 never sets the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit

4. RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade to curl and libcurl 7.24.0

B - Apply this patch and rebuild libcurl

http://curl.haxx.se/curl-dont-insert-empty-fragments.patch

C - Rebuild curl with another SSL library

D - Change the option within your application by using the
CURLOPT_SSL_CTX_FUNCTION callback

5. TIME LINE

product-security at Apple reported this problem to us on January 19th 2012.

We discussed solutions and a first patch was written on the same day.

curl 7.24.0 was released on January 24th 2012, coordinated with the
publication of this this flaw.

6. CREDITS

product-security at Apple reported it, Yang Tse helped analyzing the issue

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2012-01-24

This message: [ Message body ]
Next message: John Wiersba: "Curl -s misfeature"
Previous message: Daniel Stenberg: "curl URL sanitization vulnerability"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]