CURL-CVE-2016-3739

See a problem?
Source
https://curl.se/docs/CVE-2016-3739.html
Import Source
https://curl.se/docs/CURL-CVE-2016-3739.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2016-3739
Aliases
Published
2016-05-18T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
TLS certificate check bypass with mbedTLS/PolarSSL
Details

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3.

This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend.

The documentation for mbedTLS and PolarSSL (wrongly) says that the API function ssl_set_hostname() is used only for setting the name for the TLS extension SNI. The set string is however even more importantly used by the libraries to verify the server certificate, and if no "hostname" is set it just skips the check and successfully continue with the handshake.

libcurl would wrongly avoid using the function when the specified hostname was given as an IP address or when SSLv3 is used, as SNI is not supposed to be used then. This then leads to that all uses of TLS oriented protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc) allows connections to servers with unverified server certificates as long as they are specified as IP addresses or using SSLv3.

By tricking a libcurl-using client to use a URL with a host specified as IP address only, an application could be made to connect to an impostor server or Man In The Middle host without noticing.

Note: PolarSSL is the old name and releases of the library that nowadays is known and released under the name mbedTLS.

References
Credits
    • Moti Avrahami - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.21.0
Fixed
7.49.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0