CURL-CVE-2016-9952

See a problem?
Source
https://curl.se/docs/CVE-2016-9952.html
Import Source
https://curl.se/docs/CURL-CVE-2016-9952.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2016-9952
Aliases
Published
2016-12-21T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
Win CE Schannel cert wildcard matches too much
Details

curl's TLS server certificate checks are flawed on Windows CE.

This vulnerability occurs in the verify certificate function when comparing a wildcard certificate name (as returned by the Windows API function CertGetNameString) to the hostname used to make the connection to the server.

The vulnerability can be triggered with an overly permissive wildcard SAN in the server certificate such as a DNS name of *.com. When the function compares the cert name to the connection hostname, the wildcard character is removed from the cert name and the connection hostname is checked to see if it ends with the modified cert name. This means a hostname of example.com would match a DNS SAN of *.com, among other variations. This approach violates recommendations in RFC 6125 and could lead to MITM attacks.

References
Credits
    • Dan McNulty - FINDER
    • Dan McNulty - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.27.0
Fixed
7.52.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0