curl / Mailing Lists / curl-users / Single Mail

curl-users

[SECURITY ADVISORY] curl: Win CE schannel cert wildcard matches too much

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 21 Dec 2016 07:59:24 +0100 (CET)

Win CE schannel cert wildcard matches too much
==============================================

Project curl Security Advisory, December 21, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161221B.html)

VULNERABILITY
-------------

curl's TLS server certificate checks are flawed on Windows CE.

This vulnerability occurs in the verify certificate function when comparing a
wildcard certificate name (as returned by the Windows API function
CertGetNameString) to the hostname used to make the connection to the server.

The vulnerability can be triggered with an overly permissive wildcard SAN in
the server certificate such as a DNS name of "*.com". When the function
compares the cert name to the connection hostname, the wildcard character is
removed from the cert name and the connection hostname is checked to see if it
ends with the modified cert name. This means a hostname of example.com would
match a DNS SAN of *.com, among other variations. This approach violates
recommendations in RFC 6125 and could lead to MITM attacks.

We are not aware of any exploit of this flaw.

INFO

----
This vulnerability only happens on libcurl built for Windows CE using the
schannel TLS backend.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-9952 to this issue.
AFFECTED VERSIONS
-----------------
This flaw exists in the following libcurl versions.
- Affected versions: libcurl 7.30.0 to and including 7.51.0
- Not affected versions: libcurl >= 7.52.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
------------
In version 7.52.0, the certificate check is changed to instead use the libcurl
certificate verifying function used for a few other TLS backends that doesn't
contain these flaws.
A [patch for CVE-2016-9952](https://curl.haxx.se/CVE-2016-9952.patch) is
available.  The patch is the same as for [CVE-2016-9953](adv_20161221C.html).
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl and libcurl to version 7.52.0
  B - Apply the patch to your version and rebuild
  C - Do not use the schannel backend on Windows CE
TIME LINE
---------
It was first reported to the curl project on November 29 by Dan McNulty.
We contacted MITRE on December 13.
curl 7.52.0 was released on December 21 2016, coordinated with the publication
of this advisory.
CREDITS
-------
Reported and patched by Dan McNulty.
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-12-21