Bug 2262097 (CVE-2024-0853) - CVE-2024-0853 curl: OCSP verification bypass with TLS session reuse
Summary: CVE-2024-0853 curl: OCSP verification bypass with TLS session reuse
Keywords:
Status: NEW
Alias: CVE-2024-0853
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2262099
TreeView+ depends on / blocked
 
Reported: 2024-01-31 14:20 UTC by Mauro Matteo Cascella
Modified: 2024-02-28 06:19 UTC (History)
46 users (show)

Fixed In Version: curl 8.6.0
Doc Type: ---
Doc Text:
A flaw was found in Curl, where it inadvertently kept the SSL session ID for connections in its cache even when the verify status, OCSP stapling test, failed. A subsequent transfer to the same hostname could succeed if the session ID cache were still fresh, which then skips the verify status check.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2024-01-31 14:20:33 UTC 
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3. The issue is fixed upstream in curl 8.6.0. 

References:
https://curl.se/docs/CVE-2024-0853.html
https://www.openwall.com/lists/oss-security/2024/01/31/1

Upstream fix:
https://github.com/curl/curl/commit/c28e9478cb2548848ec
Note You need to log in before you can comment on or make changes to this bug.