Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2024-2379

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Daniel Stenberg &lt;daniel () haxx se&gt;

Date: Wed, 27 Mar 2024 07:58:05 +0100 (CET)

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
QUIC certificate check bypass with wolfSSL
==========================================

Project curl Security Advisory, March 27 2024 -
[Permalink](https://curl.se/docs/CVE-2024-2379.html)

VULNERABILITY
-------------

libcurl skips the certificate verification for a QUIC connection under certain
conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or
curve, the error path accidentally skips the verification and returns OK, thus
ignoring any certificate problems.

INFO
----

To trigger, this issue also requires that the used wolfSSL library was built
with the `OPENSSL_COMPATIBLE_DEFAULTS` symbol set, which is **not** set for
the recommended `configure --enable-curl` builds.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2024-2379 to this issue.

CWE-295: Improper Certificate Validation

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.6.0 to and including 8.6.0
- Not affected versions: curl &lt; 8.6.0 and &gt;= 8.7.0
- Introduced-in: https://github.com/curl/curl/commit/5d044ad9480a9f556f4b6a2

libcurl is used by many applications, but not always advertised as such!

This flaw is also accessible using the curl command line tool.

SOLUTION
------------

Starting in curl 8.7.0, this mistake is fixed.

- Fixed-in: https://github.com/curl/curl/commit/aedbbdf18e689a5eee8dc396

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 8.7.0

 B - Apply the patch to your local version

 C - Avoid using HTTP/3 with curl built to use wolfSSL

TIMELINE
--------

This issue was reported to the curl project on March 10, 2024. We contacted
distros@openwall on March 19, 2024.

curl 8.7.0 was released on March 27 2024 around 07:00 UTC, coordinated with
the publication of this advisory.

The curl security team is not aware of any active exploits using this
vulnerability.

CREDITS
-------

- Reported-by: Dexter Gerig
- Patched-by: Daniel Stenberg

Thanks a lot!

--

 / daniel.haxx.se

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL Daniel Stenberg (Mar 27)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

[SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

Vulmon Search

About

Products

Connect