Bug 2270497 (CVE-2024-2466) - CVE-2024-2466 curl: TLS certificate check bypass with mbedTLS
Summary: CVE-2024-2466 curl: TLS certificate check bypass with mbedTLS
Keywords:
Status: NEW
Alias: CVE-2024-2466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270504
Blocks: 2270489
TreeView+ depends on / blocked
 
Reported: 2024-03-20 15:35 UTC by Patrick Del Bello
Modified: 2024-05-07 15:47 UTC (History)
46 users (show)

Fixed In Version: curl 8.7.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in curl. When curl is built to use mbedTLS as the TLS backend, it does not check the server certificate of TLS connections done to a host specified as an IP address.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2693 0 None None None 2024-05-07 15:47:38 UTC
Red Hat Product Errata RHSA-2024:2694 0 None None None 2024-05-07 15:44:54 UTC

Description Patrick Del Bello 2024-03-20 15:35:44 UTC
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS.

libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

Since the SNI field is not set when using a hostname set as an IP address, many requests will fail to communicate with the correct endpoint or get the correct data. Somewhat lessening the possible impact.

Not all versions of mbedTLS supports server certificate checks for IP addresses, so when this issue is fixed all attempts to connect directly to an IP address over TLS might fail.

This vulnerability is similar to a past curl vulnerability identified as CVE-2016-3739.

This flaw also affects the curl command line tool.

Reference:
https://curl.se/docs/CVE-2024-2466.html

Upstream patch:
https://github.com/curl/curl/commit/3d0fd382a29b95561b90b7ea3e7e

Comment 2 Kamil Dudka 2024-03-20 16:09:14 UTC
We do not build (lib)curl with mbedTLS support, so the reported security issue does not apply.

Comment 3 errata-xmlrpc 2024-05-07 15:44:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694

Comment 4 errata-xmlrpc 2024-05-07 15:47:35 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693


Note You need to log in before you can comment on or make changes to this bug.