Vigil@nce - libcurl: certificate not checked without VERIFYPEER
January 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can offer a malicious certificate, to an application
linked with libcurl, which disables VERIFYPEER, so the user is not
warned.
Impacted products: cURL, Debian
Severity: 2/4
Creation date: 17/12/2013
DESCRIPTION OF THE VULNERABILITY
The libcurl library uses two options to check SSL certificates:
– CURLOPT_SSL_VERIFYPEER : check the full chain
– CURLOPT_SSL_VERIFYHOST : only check the server name
However, due to a logic error with GnuTLS, when
CURLOPT_SSL_VERIFYPEER is disabled, CURLOPT_SSL_VERIFYHOST is also
disabled.
An attacker can therefore offer a malicious certificate, to an
application linked with libcurl, which disables VERIFYPEER, so the
user is not warned.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libcurl-certificate-not-checked-without-VERIFYPEER-13956