CURL-CVE-2014-0139

Source
https://curl.se/docs/CVE-2014-0139.html
Import Source
https://curl.se/docs/CURL-CVE-2014-0139.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2014-0139
Aliases
Published
2014-03-26T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
IP address wildcard certificate validation
Details

libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses.

RFC 2818 covers the requirements for matching Common Names (CNs) and subjectAltNames in order to establish valid SSL connections. It first discusses CNs that are for hostnames, and the rules for wildcards in this case. The next paragraph in the RFC then discusses CNs that are IP addresses:

'In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.'

The intention of the RFC is clear in that you should not be able to use wildcards with IP addresses (in order to avoid the ability to perform man-in-the-middle attacks). Unfortunately libcurl fails to adhere to this rule under certain conditions, and subsequently it would allow and use a wildcard match specified in the CN field.

Exploiting this flaw, a malicious server could participate in a MITM attack or just easier fool users that it is a legitimate site for whatever purpose, when it actually is not.

A good CA should refuse to issue a certificate with the CN as indicated, however there only need be one CA to issue one in error for this issue to result in the user getting no warning at all and being vulnerable to MITM.

This flaw is only present in libcurl when built to use one out of a few specific TLS libraries: OpenSSL, axTLS, qsossl or gskit.

This problem is similar to one previously reported by Richard Moore, found in multiple browsers.

References
Credits
    • Richard Moore - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git /

Affected ranges

Type
SEMVER
Events
Introduced
7.10.3
Fixed
7.36.0

Affected versions

7.*

7.10.3
7.10.4
7.10.5
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0