CVE-2016-3739
published 2016-05-20CVE-2016-3739: The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0…
PriorityP427medium5.3CVSS 3.0
AVNACHPRNUIRSUCNIHAN
EPSS
1.07%
78.2th percentile
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.50.1-1 (bookworm) | curl 7.50.1-1 (bookworm) |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_debian5.3LOW
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4rcg-2r46-4hcc: The (1) mbed_connect_step1 function in lib/vtls/mbedtls
ghsa_unreviewed·2022-05-14
CVE-2016-3739 [MEDIUM] CWE-20 GHSA-4rcg-2r46-4hcc: The (1) mbed_connect_step1 function in lib/vtls/mbedtls
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
OSV
CVE-2016-3739: The (1) mbed_connect_step1 function in lib/vtls/mbedtls
osv·2016-05-20·CVSS 5.3
CVE-2016-3739 [MEDIUM] CVE-2016-3739: The (1) mbed_connect_step1 function in lib/vtls/mbedtls
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
Red Hat
curl: TLS certificate name check bypass with mbedTLS and PolarSSL
vendor_redhat·2016-05-18·CVSS 5.3
CVE-2016-3739 [MEDIUM] CWE-345 curl: TLS certificate name check bypass with mbedTLS and PolarSSL
curl: TLS certificate name check bypass with mbedTLS and PolarSSL
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
Package: curl (Red Hat Enterprise Linux 5) - Not affected
Package: curl (Red Hat Enterprise Linux 6) - Not affected
Package: curl (Red Hat Enterprise Linux 7) - Not affected
Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Not affected
Package: curl (Red Hat JBoss Enterprise Web Server 3) - Not affected
Debian
CVE-2016-3739: curl - The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_conne...
vendor_debian·2016·CVSS 5.3
CVE-2016-3739 [MEDIUM] CVE-2016-3739: curl - The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_conne...
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
Scope: local
bookworm: resolved (fixed in 7.50.1-1)
bullseye: resolved (fixed in 7.50.1-1)
forky: resolved (fixed in 7.50.1-1)
sid: resolved (fixed in 7.50.1-1)
trixie: resolved (fixed in 7.50.1-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)
hackerone·2024-03-29·CVSS 5.3
CVE-2024-2466 [MEDIUM] CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)
CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)
For reward request.
Please refer to this report issue from curl:
https://hackerone.com/reports/2416725
And already published at here:
https://curl.se/docs/CVE-2024-2466.html
## Impact
Reference from above.
CVE-2024-2466
TLS certificate check bypass with mbedTLS
VULNERABILITY
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS.
libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
INFO
Since the SNI field is not set when using a hostname
HackerOne
CVE-2024-2466: TLS certificate check bypass with mbedTLS
hackerone·2024-03-27·CVSS 6.5
CVE-2024-2466 [MEDIUM] CVE-2024-2466: TLS certificate check bypass with mbedTLS
CVE-2024-2466: TLS certificate check bypass with mbedTLS
## Summary:
Curl library has a security vulnerability where the certificate name check is bypassed when connecting to a host via its IP address. This could potentially introduce spoofing attacks or unauthorized access due to unverified server certificate.
This issue only affects the Curl with MbedTLS.
- Affected versions: from libcurl 8.5.0 to and including 8.6.0 (current master versions at the time of writing)
- Not affected versions: libcurl 8.4.0 and earlier
This issue affect all kinds of protocol over TLS session, e.g. HTTPS, FTPS, SMTPS, etc.
## Steps To Reproduce:
### (Preparation) Download and build the Curl with MbedTLS:
*Skip this step if you already have the Curl (>= 8.5.0) with MbedTLS.*
Before building the code,
Bugzilla
CVE-2024-2466 curl: TLS certificate check bypass with mbedTLS
bugzilla·2024-03-20·CVSS 5.3
CVE-2024-2466 [MEDIUM] CVE-2024-2466 curl: TLS certificate check bypass with mbedTLS
CVE-2024-2466 curl: TLS certificate check bypass with mbedTLS
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS.
libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
Since the SNI field is not set when using a hostname set as an IP address, many requests will fail to communicate with the correct endpoint or get the correct data. Somewhat lessening the possible impact.
Not all versions of mbedTLS supports server certificate checks for IP addresses, so when this issue is fixed all attempts to connect directly to a
Bugzilla
CVE-2016-3739 curl: TLS certificate name check bypass with mbedTLS and PolarSSL
bugzilla·2016-05-12·CVSS 5.3
CVE-2016-3739 [MEDIUM] CVE-2016-3739 curl: TLS certificate name check bypass with mbedTLS and PolarSSL
CVE-2016-3739 curl: TLS certificate name check bypass with mbedTLS and PolarSSL
The following flaw was found in libcurl:
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3.
This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as TLS backend.
The documentation for mbedTLS and PolarSSL (wrongly) says that the API function *ssl_set_hostname() is used only for setting the name for the TLS extension SNI. The set string is however even more importantly used by the libraries to verify the server certificate, and if no "hostname" is set it will just skip the check and successfully continue with the handshake.
libcurl would wrongly avoid using the function when the specified host nam
http://www.openwall.com/lists/oss-security/2024/03/27/4http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/90726http://www.securitytracker.com/id/1035907http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.495349https://curl.haxx.se/CVE-2016-3739.patchhttps://curl.haxx.se/changes.html#7_49_0https://curl.haxx.se/docs/adv_20160518.htmlhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://security.gentoo.org/glsa/201701-47http://www.openwall.com/lists/oss-security/2024/03/27/4http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/90726http://www.securitytracker.com/id/1035907http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.495349https://curl.haxx.se/CVE-2016-3739.patchhttps://curl.haxx.se/changes.html#7_49_0https://curl.haxx.se/docs/adv_20160518.htmlhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://security.gentoo.org/glsa/201701-47
2016-05-20
Published