Buy commercial curl support from
WolfSSL. We help you work out your issues, debug your libcurl
applications, use the API, port to new platforms, add new features and more.
With a team lead by the curl founder himself.
[SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 27 Mar 2024 07:58:05 +0100 (CET)
QUIC certificate check bypass with wolfSSL
==========================================
Project curl Security Advisory, March 27 2024 -
[Permalink](https://curl.se/docs/CVE-2024-2379.html)
VULNERABILITY
-------------
libcurl skips the certificate verification for a QUIC connection under certain
conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or
curve, the error path accidentally skips the verification and returns OK, thus
ignoring any certificate problems.
INFO
Date: Wed, 27 Mar 2024 07:58:05 +0100 (CET)
QUIC certificate check bypass with wolfSSL
==========================================
Project curl Security Advisory, March 27 2024 -
[Permalink](https://curl.se/docs/CVE-2024-2379.html)
VULNERABILITY
-------------
libcurl skips the certificate verification for a QUIC connection under certain
conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or
curve, the error path accidentally skips the verification and returns OK, thus
ignoring any certificate problems.
INFO
---- To trigger, this issue also requires that the used wolfSSL library was built with the `OPENSSL_COMPATIBLE_DEFAULTS` symbol set, which is **not** set for the recommended `configure --enable-curl` builds. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-2379 to this issue. CWE-295: Improper Certificate Validation Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 8.6.0 to and including 8.6.0 - Not affected versions: curl < 8.6.0 and >= 8.7.0 - Introduced-in: https://github.com/curl/curl/commit/5d044ad9480a9f556f4b6a2 libcurl is used by many applications, but not always advertised as such! This flaw is also accessible using the curl command line tool. SOLUTION ------------ Starting in curl 8.7.0, this mistake is fixed. - Fixed-in: https://github.com/curl/curl/commit/aedbbdf18e689a5eee8dc396 RECOMMENDATIONS -------------- A - Upgrade curl to version 8.7.0 B - Apply the patch to your local version C - Avoid using HTTP/3 with curl built to use wolfSSL TIMELINE -------- This issue was reported to the curl project on March 10, 2024. We contacted distros_at_openwall on March 19, 2024. curl 8.7.0 was released on March 27 2024 around 07:00 UTC, coordinated with the publication of this advisory. The curl security team is not aware of any active exploits using this vulnerability. CREDITS ------- - Reported-by: Dexter Gerig - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-03-27