Bug 991389 - (CVE-2016-5419) VUL-0: CVE-2016-5419: curl: TLS session resumption client cert bypass
(CVE-2016-5419)
VUL-0: CVE-2016-5419: curl: TLS session resumption client cert bypass
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-5419:5.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-31 12:35 UTC by Andreas Stieger
Modified: 2018-08-15 11:46 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-31 12:35:51 UTC
Created attachment 686183 [details]
work in progress patch

EMBARGOED
CRD: 2016-08-03

TLS session resumption client cert bypass
=========================================

Project cURL Security Advisory, August 3rd 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20160803A.html)

VULNERABILITY
-------------

libcurl would attempt to resume a TLS session even if the client certificate
had changed. That is unacceptable since a server by specification is allowed
to skip the client certificate check on resume, and may instead use the old
identity which was established by the previous certificate (or no
certificate).

libcurl supports by default the use of TLS session id/ticket to resume
previous TLS sessions to speed up subsequent TLS handshakes. They are used
when for any reason an existing TLS connection couldn't be kept alive to make
the next handshake faster.

We are not aware of any exploit of this flaw.

INFO
----

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.

AFFECTED VERSIONS
-----------------

This flaw is relevant for all versions of curl and libcurl that support TLS
and client certificates.

- Affected versions: libcurl 7.1 to and including 7.50.0
- Not affected versions: libcurl >= 7.50.1

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.50.1, TLS session resumption is disabled when a client certificate
is used so that a subsequent connection attempt to the same server cannot risk
getting a previously authenticated session resumed.

A [patch for CVE-2016-XXXX](https://curl.haxx.se/CVE-A.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.50.1

  B - Apply the patch to your version and rebuild

  C - Set CURLOPT_SSL_SESSIONID_CACHE to 0L when using client certificates

TIME LINE
---------

It was first reported to the curl project in April 2016 by Bru Rom. We
contacted *WHOEVER* on *WHENEVER*.

libcurl 7.50.1 was released on August 3 2016, coordinated with the publication
of this advisory.

CREDITS
-------

Contributions by Eric Rescorla and Ray Satiro. Patch by Daniel Stenberg.
Comment 1 Swamp Workflow Management 2016-07-31 22:00:28 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-08-01 09:05:23 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-08-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62921
Comment 5 Bernhard Wiedemann 2016-08-24 12:00:39 UTC
This is an autogenerated message for OBS integration:
This bug (991389) was mentioned in
https://build.opensuse.org/request/show/421545 13.2 / curl
Comment 7 Swamp Workflow Management 2016-08-25 16:09:25 UTC
SUSE-SU-2016:2155-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 991389,991390
CVE References: CVE-2016-5419,CVE-2016-5420
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.42.1
Comment 8 Swamp Workflow Management 2016-09-02 16:09:27 UTC
openSUSE-SU-2016:2227-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 991389,991390,991391,991746
CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421
Sources used:
openSUSE 13.2 (src):    curl-7.42.1-25.1
Comment 12 Swamp Workflow Management 2016-09-16 04:48:27 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-09-30.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63046
Comment 13 Swamp Workflow Management 2016-09-16 19:13:36 UTC
SUSE-SU-2016:2330-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 991389,991390,991391,991746,997420
CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-28.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-28.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-28.1
Comment 14 Swamp Workflow Management 2016-09-26 00:08:54 UTC
openSUSE-SU-2016:2379-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 991389,991390,991391,991746,997420
CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141
Sources used:
openSUSE Leap 42.1 (src):    curl-7.37.0-13.1
Comment 15 Swamp Workflow Management 2016-10-04 15:10:16 UTC
SUSE-SU-2016:2449-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 991389,991390,997420
CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-7141
Sources used:
SUSE OpenStack Cloud 5 (src):    curl-7.19.7-1.61.1
SUSE Manager Proxy 2.1 (src):    curl-7.19.7-1.61.1
SUSE Manager 2.1 (src):    curl-7.19.7-1.61.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.61.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.61.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    curl-7.19.7-1.61.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.61.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    curl-7.19.7-1.61.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.61.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    curl-7.19.7-1.61.1
Comment 16 Marcus Meissner 2016-12-16 16:16:35 UTC
released