Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 7 Sep 2016 13:39:36 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...l.haxx.se>,
        curl-announce@...l.haxx.se,
        libcurl hacking <curl-library@...l.haxx.se>,
        oss-security@...ts.openwall.com
Subject: [SECURITY ADVISORY] curl: Incorrect reuse of client certificates

Incorrect reuse of client certificates 
======================================

Project cURL Security Advisory, September 7th 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20160907.html)

VULNERABILITY
-------------

libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.

While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.

We are not aware of any exploit of this flaw.

INFO
----

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-7141 to this issue.

AFFECTED VERSIONS
-----------------

This flaw is present in curl and libcurl only if they are built with the
support for NSS and only if the libnsspem.so library is available at run-time.

- Affected versions: libcurl 7.19.6 to and including 7.50.1
- Not affected versions: libcurl >= 7.50.2

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A fix for this flaw is included in libcurl 7.50.2 via
[commit `curl-7_50_2~32`](https://github.com/curl/curl/commit/curl-7_50_2~32).
For older releases of libcurl there is a
[patch for CVE-2016-7141](https://curl.haxx.se/CVE-2016-7141.patch).

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Apply the patch on the source code of libcurl and rebuild.

  B - Configure libcurl to use a different TLS backend and rebuild.

  C - Use certificates from NSS database instead of loading them from files.

TIME LINE
---------

This flaw was reported by Red Hat on August 22nd.  The patch fixing the flaw
was published on September 5th.  CVE-2016-7141 was assigned to this flaw on
September 6th.  This advisory was published on September 7th.

CREDITS
-------

Reported by Red Hat.  Security advisory coordinated by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ