cURL / Mailing Lists / curl-users / Single Mail

curl-users

[SECURITY ADVISORY] curl: Incorrect reuse of client certificates

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 7 Sep 2016 13:39:36 +0200 (CEST)

Incorrect reuse of client certificates
======================================

Project cURL Security Advisory, September 7th 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20160907.html)

VULNERABILITY
-------------

libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.

While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.

We are not aware of any exploit of this flaw.

INFO

----
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-7141 to this issue.
AFFECTED VERSIONS
-----------------
This flaw is present in curl and libcurl only if they are built with the
support for NSS and only if the libnsspem.so library is available at run-time.
- Affected versions: libcurl 7.19.6 to and including 7.50.1
- Not affected versions: libcurl >= 7.50.2
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
------------
A fix for this flaw is included in libcurl 7.50.2 via
[commit `curl-7_50_2~32`](https://github.com/curl/curl/commit/curl-7_50_2~32).
For older releases of libcurl there is a
[patch for CVE-2016-7141](https://curl.haxx.se/CVE-2016-7141.patch).
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Apply the patch on the source code of libcurl and rebuild.
  B - Configure libcurl to use a different TLS backend and rebuild.
  C - Use certificates from NSS database instead of loading them from files.
TIME LINE
---------
This flaw was reported by Red Hat on August 22nd.  The patch fixing the flaw
was published on September 5th.  CVE-2016-7141 was assigned to this flaw on
September 6th.  This advisory was published on September 7th.
CREDITS
-------
Reported by Red Hat.  Security advisory coordinated by Daniel Stenberg.
Thanks a lot!
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-07