Bug 1221666 (CVE-2024-2379) - VUL-0: CVE-2024-2379: curl: QUIC certificate check bypass with wolfSSL
Summary: VUL-0: CVE-2024-2379: curl: QUIC certificate check bypass with wolfSSL
Status: RESOLVED FIXED
Alias: CVE-2024-2379
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/398215/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-19 08:26 UTC by Alexander Bergmann
Modified: 2024-05-17 09:11 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Alexander Bergmann 2024-03-19 11:15:25 UTC 
SUSE and openSUSE builds are not using the wolfSSL library.
Comment 3 Alexander Bergmann 2024-03-19 11:59:59 UTC 
CRD: 2024-03-27 07:00 UTC
Comment 7 Marcus Meissner 2024-03-27 14:50:15 UTC 
is public via oss-sec

QUIC certificate check bypass with wolfSSL
==========================================

Project curl Security Advisory, March 27 2024 -
[Permalink](https://curl.se/docs/CVE-2024-2379.html)

VULNERABILITY
-------------

libcurl skips the certificate verification for a QUIC connection under certain
conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or
curve, the error path accidentally skips the verification and returns OK, thus
ignoring any certificate problems.

INFO
----

To trigger, this issue also requires that the used wolfSSL library was built
with the `OPENSSL_COMPATIBLE_DEFAULTS` symbol set, which is **not** set for
the recommended `configure --enable-curl` builds.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2024-2379 to this issue.

CWE-295: Improper Certificate Validation

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.6.0 to and including 8.6.0
- Not affected versions: curl < 8.6.0 and >= 8.7.0
- Introduced-in: https://github.com/curl/curl/commit/5d044ad9480a9f556f4b6a2

libcurl is used by many applications, but not always advertised as such!

This flaw is also accessible using the curl command line tool.

SOLUTION
------------

Starting in curl 8.7.0, this mistake is fixed.

- Fixed-in: https://github.com/curl/curl/commit/aedbbdf18e689a5eee8dc396

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 8.7.0

  B - Apply the patch to your local version

  C - Avoid using HTTP/3 with curl built to use wolfSSL

TIMELINE
--------

This issue was reported to the curl project on March 10, 2024. We contacted
distros@openwall on March 19, 2024.

curl 8.7.0 was released on March 27 2024 around 07:00 UTC, coordinated with
the publication of this advisory.

The curl security team is not aware of any active exploits using this
vulnerability.

CREDITS
-------

- Reported-by: Dexter Gerig
- Patched-by: Daniel Stenberg
Comment 9 Pedro Monreal Gonzalez 2024-03-27 19:31:53 UTC 
Factory submission: https://build.opensuse.org/request/show/1163136
Comment 11 Marcus Meissner 2024-04-15 15:25:12 UTC 
done