SSL CBC IV vulnerability
Project curl Security Advisory, January 24th 2012 permalink
curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer.
This vulernability has been identified (CVE-2011-3389 aka the "BEAST" attack) and is addressed by OpenSSL already as they have made a work-around to mitigate the problem. When doing so, they figured out that some servers didn't work with the work-around and offered a way to disable it.
The bit used to disable the workaround was then added to the generic SSLOPALL bitmask that SSL clients may use to enable work-arounds for better compatibility with servers. libcurl uses the SSLOPALL bitmask.
While SSLOPALL is documented to enable "rather harmless" work-arounds, it does in this case effectively enable this security vulnerability again.
There is no known exploit for this problem.
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Only curl and libcurl builds that use OpenSSL are affected.
- Affected versions: curl 7.10.6 to and including 7.23.1
Also note that libcurl is used by many applications, and not always advertised as such.
libcurl 7.24.0 never sets the
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to curl and libcurl 7.24.0
B - Apply this patch and rebuild libcurl
C - Rebuild curl with another SSL library
D - Change the option within your application by using the CURLOPTSSLCTX_FUNCTION callback
product-security at Apple reported this problem to us on January 19th 2012.
We discussed solutions and a first patch was written on the same day.
curl 7.24.0 was released on January 24th 2012, coordinated with the publication of this this flaw.
product-security at Apple reported it, Yang Tse helped analyzing the issue