Bug 1178698 (CVE-2014-8151)

Summary: CVE-2014-8151 curl: certificate check bypass when built with DarwinSSL as TLS backend
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libcurl 7.40.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-08 08:04:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1178694    
Attachments:
Description Flags
0001-darwinssl-fix-session-ID-keys-to-only-reuse-identica.patch none

Description Vasyl Kaigorodov 2015-01-05 10:45:10 UTC 
libcurl upstream reports:

"""

libcurl stores TLS Session IDs in its associated Session ID cache when it connects to TLS servers. In subsequent connects it re-uses the entry in the cache to resume the TLS connection faster than when doing a full TLS handshake. The actual implementation for the Session ID caching varies depending on the underlying TLS backend.

libcurl allows applications to switch off certificate verification in two different ways - using CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER.

When an application connected to a TLS server with certificate verification disabled, it would store the Session ID in the cache and if then a subsequent connection was made against the same host and port number, it would re-use the former session and thanks to the the re-used session from the cache, it would skip the certificate check and wrongly accept any bad certificate that could be presented.

The problem was that the "key" used for caching Session IDs didn't take the ceritificate check status into account.

This problem is specific to libcurl built to use the DarwinSSL back-end for TLS, so it can only affect Mac and iPhone based applications.

We are not aware of any public exploits of this flaw.

DarwinSSL is also known as SecureTransport.

"""

External References:

http://curl.haxx.se/docs/adv_20150108A.html

Acknowledgements:

Red Hat would like to thank the curl project for reporting this issue. Upstream acknowledges Marc Hesse of RethinkDB as the original reporter.
Comment 1 Vasyl Kaigorodov 2015-01-05 10:46:38 UTC 
Created attachment 976326 [details]
0001-darwinssl-fix-session-ID-keys-to-only-reuse-identica.patch
Comment 2 Tomas Hoger 2015-01-08 08:04:29 UTC 
The curl packages in Red Hat Enterprise Linux 5 and earlier use OpenSSL as TLS backend.  The curl packages in Red Hat Enterprise Linux 6 and 7, and all current Fedora versions use NSS as TLS backend.

Statement:

Not vulnerable. This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they do no use DarwinSSL library as TLS backend.
Comment 3 Tomas Hoger 2015-01-08 09:57:58 UTC 
Fixed now in curl 7.40.0:

http://curl.haxx.se/mail/archive-2015-01/0019.html

Upstream commit:

https://github.com/bagder/curl/commit/4ce22c607be9066b321f3eb3c524a6fff251a1e2