#VU5890 Security bypass in cURL - CVE-2017-2629

Cybersecurity Help s.r.o.

Published: 2017-02-22 | Updated: 2017-02-22

Vulnerability identifier: #VU5890

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-2629

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cURL
Client/Desktop applications / Other client software

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error within TLS Certificate Status Request extension implementation (a.k.a OCSP stapling) in cURL. The problem is caused by coding error, when the affected function returns positive result even when there is none or if the server doesn't support the TLS extension in question. A remote attacker can bypass CURLOPT_SSL_VERIFYSTATUS option and make the affected system treat all requests as valid.

Successful exploitation of the vulnerability may allow an attacker to bypass implemented security controls and perform a MitM or phishing attack.

Mitigation
Update to version 7.53.0

Vulnerable software versions

cURL: 7.52.0 - 7.52.1

External links
https://curl.haxx.se/docs/adv_20170222.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for cURL

Arch Linux update for curl

Security bypass in curl (Alpine package)

OCSP stapling verification bypass in cURL