Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-9952: curl - Win CE Schannel cert wildcard matches too much

The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by “*.com.”

CVE
#vulnerability#windows#git#ssl

curl / Docs / curl CVEs / Win CE Schannel cert wildcard matches too much

CVE-2016-9952

Project curl Security Advisory, December 21, 2016 - Permalink

VULNERABILITY

curl’s TLS server certificate checks are flawed on Windows CE.

This vulnerability occurs in the verify certificate function when comparing a wildcard certificate name (as returned by the Windows API function CertGetNameString) to the hostname used to make the connection to the server.

The vulnerability can be triggered with an overly permissive wildcard SAN in the server certificate such as a DNS name of *.com. When the function compares the cert name to the connection hostname, the wildcard character is removed from the cert name and the connection hostname is checked to see if it ends with the modified cert name. This means a hostname of example.com would match a DNS SAN of *.com, among other variations. This approach violates recommendations in RFC 6125 and could lead to MITM attacks.

INFO

This vulnerability only happens on libcurl built for Windows CE using the Schannel TLS backend.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-9952 to this issue.

CWE-295: Improper Certificate Validation

Severity: Medium

AFFECTED VERSIONS

This flaw exists in the following libcurl versions.

  • Affected versions: libcurl 7.27.0 to and including 7.51.0
  • Not affected versions: libcurl < 7.27.0 and libcurl >= 7.52.0
  • Introduced-in: https://github.com/curl/curl/commit/4ab2d26cb83dfbb74ba9eeaaa4835b4dd12883d4

libcurl is used by many applications, but not always advertised as such!

SOLUTION

In version 7.52.0, the certificate check is changed to instead use the libcurl certificate verifying function used for a few other TLS backends that doesn’t contain these flaws.

  • Fixed-in: https://github.com/curl/curl/commit/0354eed41085baa5ba8777019eb

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 7.52.0

B - Apply the patch to your version and rebuild

C - Do not use the Schannel backend on Windows CE

TIMELINE

It was first reported to the curl project on November 29 2016.

We contacted MITRE on December 13.

curl 7.52.0 was released on December 21 2016, coordinated with the publication of this advisory.

CREDITS

  • Reported-by: Dan McNulty
  • Patched-by: Dan McNulty

Thanks a lot!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907