cURL/libcurl Certificate Reuse Bug Lets Remote Users Bypass Security Restrictions on the Target System
SecurityTracker Alert ID: 1036739|
SecurityTracker URL: http://securitytracker.com/id/1036739
(Links to External Site)
Date: Sep 7 2016
Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 7.19.6 through 7.50.1|
A vulnerability was reported in cURL. A remote user can bypass security controls on the target system.|
The library may reuse a client certificate from file on a subsequent TLS connection is no certificate is set for the subsequent connection.
Systems with libcurl built on top of Network Security Services (NSS) and with the 'libnsspem.so' library available at runtime is affected.
The command line tool is also affected.
Red Hat Security reported this vulnerability.
A remote user may be able to bypass security controls on the target system.|
The vendor has issued a fix (7.50.2).|
The vendor advisory is available at:
Vendor URL: curl.haxx.se/docs/adv_20160907.html (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [oss-security] [SECURITY ADVISORY] curl: Incorrect reuse of client certificates|
Incorrect reuse of client certificates
Project cURL Security Advisory, September 7th 2016 -
libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
We are not aware of any exploit of this flaw.
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-7141 to this issue.
This flaw is present in curl and libcurl only if they are built with the
support for NSS and only if the libnsspem.so library is available at run-time.
- Affected versions: libcurl 7.19.6 to and including 7.50.1
- Not affected versions: libcurl >= 7.50.2
libcurl is used by many applications, but not always advertised as such!
A fix for this flaw is included in libcurl 7.50.2 via
For older releases of libcurl there is a
[patch for CVE-2016-7141](https://curl.haxx.se/CVE-2016-7141.patch).
We suggest you take one of the following actions immediately, in order of
A - Apply the patch on the source code of libcurl and rebuild.
B - Configure libcurl to use a different TLS backend and rebuild.
C - Use certificates from NSS database instead of loading them from files.
This flaw was reported by Red Hat on August 22nd. The patch fixing the flaw
was published on September 5th. CVE-2016-7141 was assigned to this flaw on
September 6th. This advisory was published on September 7th.
Reported by Red Hat. Security advisory coordinated by Daniel Stenberg.
Thanks a lot!