Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <11327r71-8651-6825-46n1-97r1s9n6731o@unkk.fr>
Date: Wed, 17 May 2023 08:41:08 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...ts.haxx.se>, 
    curl-announce@...ts.haxx.se, libcurl hacking <curl-library@...ts.haxx.se>, 
    oss-security@...ts.openwall.com
Subject: curl: CVE-2023-28321: IDN wildcard match

IDN wildcard match
==================

Project curl Security Advisory, May 17th 2023 -
[Permalink](https://curl.se/docs/CVE-2023-28321.html)

VULNERABILITY
-------------

curl supports matching of wildcard patterns when listed as "Subject
Alternative Name" in TLS server certificates. curl can be built to use its own
name matching function for TLS rather than one provided by a TLS library. This
private wildcard matching function would match IDN (International Domain Name)
hosts incorrectly and could as a result accept patterns that otherwise should
mismatch.

IDN hostnames are converted to puny code before used for certificate
checks. Puny coded names always start with `xn--` and should not be allowed to
pattern match, but the wildcard check in curl could still check for `x*`,
which would match even though the IDN name most likely contained nothing even
resembling an `x`.

INFO
----

curl's wildcard matching function is used only when curl was built to use
OpenSSL, Schannel or Gskit. All other backends use the matching functions of
the corresponding TLS library and are thus not vulnerable to this flaw.

This flaw is lessened somewhat by two factors:

  - Certificates issued by Certificate Authorities for the public Internet are
    not allowed to use "partial" wildcards, thus completely avoiding this
    issue.

  - In many circumstances, the control of host names used and the wildcards
    used in issued certificates are controlled by the same entity, making this
    unlikely to actually become a problem.

curl does not need to be built with IDN support to be vulnerable, as a user
can pass in a puny coded version of the host name directly in the URL and can
then trigger this flaw.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-28321 to this issue.

CWE-295: Improper Certificate Validation

Severity: Low

AFFECTED VERSIONS
-----------------

This bug was introduced in curl when IDN support was first introduced, in curl
7.12.0 - June 2004. The wildcard function was subsequently updated for this
case in 2012 (the IDN problem is mentioned in RFC 6125 in a far from obvious
way) but was done wrongly, so the flaw remained.

- Affected versions: curl 7.12.0 to and including 8.0.1
- Not affected versions: curl < 7.12.0 and curl >= 8.1.0
- Introduced-in: https://github.com/curl/curl/commit/9631fa740708b1890197fad

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

curl 8.1.0 completely removes the support for "partial" patches and now only
supports `*.`. No `a*`, `a*b` or `*b` matches. For all host names, IDN or not.

- Fixed-in: https://github.com/curl/curl/commit/199f2d440d8659b42

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 8.1.0

  B - Apply the patch to your local version

TIMELINE
--------

This issue was reported to the curl project on April 17 2023. We contacted
distros@...nwall on May 9, 2023.

curl 8.1.0 was released on May 17 2023, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: Hiroki Kurosawa
- Patched-by: Daniel Stenberg

Thanks a lot!

-- 

  / daniel.haxx.se

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.