Bug 1029159 - (CVE-2013-4545) CVE-2013-4545 curl: TLS/SSL certificate name check disabled with peer verification
CVE-2013-4545 curl: TLS/SSL certificate name check disabled with peer verific...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131115,reported=2...
: Security
Depends On: 1031429 1031430
Blocks: 1029163
  Show dependency treegraph
 
Reported: 2013-11-11 14:40 EST by Tomas Hoger
Modified: 2013-12-02 04:54 EST (History)
6 users (show)

See Also:
Fixed In Version: curl 7.33.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-02 04:54:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2013-11-11 14:40:24 EST
Curl upstream reported an issue related to verification of connection host name against server name specified in a TLS/SSL server certificate.  When libcurl was built using OpenSSL as TLS/SSL library, setting CURLOPT_SSL_VERIFYPEER option to 0 (i.e. disabling verification that the certificate is valid and was issued by a trusted certificate authority) also disabled server name checks regardless of the value of the CURLOPT_SSL_VERIFYHOST option.  This caused libcurl to skip name checks while an application using the library could expect it to be performed.

Note: Only enabling VERIFYHOST while disabling VERIFYPEER is insecure unless application performs its own peer verification equivalent to the verification performed by libcurl when VERIFYPEER is enabled.

The curl command line tool is not affected, as it disables both VERIFYPEER and VERIFYHOST when -k / --insecure command line option is used.

Documentation for VERIFYPEER and VERIFYHOST options:
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYPEER
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST

This problem is a regression that was introduced in version 7.18.0.  It was already corrected in version 7.33.0 released mid-October 2013.

Upstream commit:
https://github.com/bagder/curl/commit/3c3622b6

Announcement of 7.33.0:
http://curl.haxx.se/mail/lib-2013-10/0093.html
  o OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER

Public report of the issue on the curl-library mailing list:
http://curl.haxx.se/mail/lib-2013-10/0002.html

Curl version shipped in Red Hat Enterprise Linux 5 is 7.15.5 and is not affected by this problem (it pre-dates the regression).  Curl packages in Red Hat Enterprise Linux 6 and current Fedora versions use NSS (Network Security Services) rather than OpenSSL as TLS/SSL backend library.  When VERIFYPEER is disabled in Curl versions using NSS, VERIFYHOST is automatically disabled too.  Unlike OpenSSL crypto backend, this is expected and documented behavior for NSS crypto backend:
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST
Comment 1 Tomas Hoger 2013-11-11 14:52:14 EST
Statement:

Not vulnerable. This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 4 Tomas Hoger 2013-11-17 15:45:58 EST
Public now via upstream advisory.

External References:

http://curl.haxx.se/docs/adv_20131115.html
Comment 5 Tomas Hoger 2013-11-17 15:50:27 EST
mingw*-curl packages in Fedora and EPEL are based on affected upstream versions and use OpenSSL as SSL library, rather than NSS.
Comment 6 Tomas Hoger 2013-11-17 15:51:15 EST
Created mingw32-curl tracking bugs for this issue:

Affects: epel-5 [bug 1031430]
Comment 7 Tomas Hoger 2013-11-17 15:51:27 EST
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1031429]

Note You need to log in before you can comment on or make changes to this bug.