Headline
CVE-2016-9953: curl - Win CE Schannel cert name out of buffer read
The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.
curl / Docs / curl CVEs / Win CE Schannel cert name out of buffer read
CVE-2016-9953
Project curl Security Advisory, December 21, 2016 - Permalink
VULNERABILITY
curl’s TLS server certificate checks are flawed on Windows CE.
This vulnerability occurs in the verify certificate function when comparing a wildcard certificate name (as returned by the Windows API function CertGetNameString() to the hostname used to make the connection to the server.
The pattern matching logic exhibits an out of bounds read. If the wildcard certificate name field is longer than the connection host name, the wildcard comparison code will perform an access out of bounds of the connection hostname heap based buffer. This issue could technically leak the contents of memory immediately preceding the connection hostname buffer, just a crash or at worst happen to match against another piece of data.
INFO
This vulnerability only happens on libcurl built for Windows CE using the Schannel TLS backend.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-9953 to this issue.
CWE-126: Buffer Over-read
Severity: Medium
AFFECTED VERSIONS
This flaw exists in the following libcurl versions.
- Affected versions: libcurl 7.27.0 to and including 7.51.0
- Not affected versions: libcurl < 7.27.0 and >= 7.52.0
- Introduced-in: https://github.com/curl/curl/commit/4ab2d26cb83dfbb74ba9eeaaa4835b4dd12883d4
libcurl is used by many applications, but not always advertised as such!
SOLUTION
In version 7.52.0, the certificate check is changed to instead use the libcurl certificate verifying function used for a few other TLS backends that doesn’t contain these flaws.
- Fixed-in: https://github.com/curl/curl/commit/0354eed41085baa5ba8777019eb
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 7.52.0
B - Apply the patch to your version and rebuild
C - Do not use the Schannel backend on Windows CE
TIMELINE
It was first reported to the curl project on November 29.
We contacted MITRE on December 13.
curl 7.52.0 was released on December 21 2016, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Dan McNulty
- Patched-by: Dan McNulty
Thanks a lot!