Bug 2270497 (CVE-2024-2466)

Summary: CVE-2024-2466 curl: TLS certificate check bypass with mbedTLS
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, agarcial, aoconnor, aprice, asegurap, bdettelb, caswilli, csutherl, dfreiber, dkuc, drow, fjansen, gsuckevi, hhorak, hkataria, jburrell, jclere, jmitchel, jorton, jsamir, jsherril, jtanner, kaycoth, kdudka, kshier, luhliari, luizcosta, mpierce, nweather, orabin, pjindal, plodge, security-response-team, sidakwo, stcannon, sthirugn, szappis, vkrizan, vkumar, vmugicag, xiaoxwan, yguenane, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 8.7.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in curl. When curl is built to use mbedTLS as the TLS backend, it does not check the server certificate of TLS connections done to a host specified as an IP address.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2270504    
Bug Blocks: 2270489    

Description Patrick Del Bello 2024-03-20 15:35:44 UTC 
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS.

libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

Since the SNI field is not set when using a hostname set as an IP address, many requests will fail to communicate with the correct endpoint or get the correct data. Somewhat lessening the possible impact.

Not all versions of mbedTLS supports server certificate checks for IP addresses, so when this issue is fixed all attempts to connect directly to an IP address over TLS might fail.

This vulnerability is similar to a past curl vulnerability identified as CVE-2016-3739.

This flaw also affects the curl command line tool.

Reference:
https://curl.se/docs/CVE-2024-2466.html

Upstream patch:
https://github.com/curl/curl/commit/3d0fd382a29b95561b90b7ea3e7e
Comment 2 Kamil Dudka 2024-03-20 16:09:14 UTC 
We do not build (lib)curl with mbedTLS support, so the reported security issue does not apply.
Comment 3 errata-xmlrpc 2024-05-07 15:44:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694
Comment 4 errata-xmlrpc 2024-05-07 15:47:35 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693