Vulnerabilities > CVE-2014-0139 - Cryptographic Issues vulnerability in Haxx Curl and Libcurl
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_CURL-140415.NASL description This curl update fixes the following security issues : - wrong re-use of connections. (CVE-2014-0138). (bnc#868627) - IP address wildcard certificate validation. (CVE-2014-0139). (bnc#868629) - --insecure option inappropriately enforcing security safeguard. (bnc#870444) last seen 2020-06-05 modified 2014-05-21 plugin id 74115 published 2014-05-21 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74115 title SuSE 11.3 Security Update : curl (SAT Patch Number 9133) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(74115); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-0138", "CVE-2014-0139"); script_name(english:"SuSE 11.3 Security Update : curl (SAT Patch Number 9133)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This curl update fixes the following security issues : - wrong re-use of connections. (CVE-2014-0138). (bnc#868627) - IP address wildcard certificate validation. (CVE-2014-0139). (bnc#868629) - --insecure option inappropriately enforcing security safeguard. (bnc#870444)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=868627" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=868629" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=870444" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-0138.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-0139.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 9133."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libcurl4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libcurl4-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2014/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3"); flag = 0; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"curl-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"libcurl4-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"curl-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"libcurl4-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"libcurl4-32bit-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLES11", sp:3, reference:"curl-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLES11", sp:3, reference:"libcurl4-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"libcurl4-32bit-7.19.7-1.38.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"libcurl4-32bit-7.19.7-1.38.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2167-1.NASL description Steve Holme discovered that libcurl incorrectly reused wrong connections when using protocols other than HTTP and FTP. This could lead to the use of unintended credentials, possibly exposing sensitive information. (CVE-2014-0138) Richard Moore discovered that libcurl incorrectly validated wildcard SSL certificates that contain literal IP addresses. An attacker could possibly exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2014-0139). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2014-04-15 plugin id 73514 published 2014-04-15 reporter Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73514 title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : curl vulnerabilities (USN-2167-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2902.NASL description Two vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-0138 Steve Holme discovered that libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. - CVE-2014-0139 Richard Moore from Westpoint Ltd. reported that libcurl does not behave compliant to RFC 2828 under certain conditions and incorrectly validates wildcard SSL certificates containing literal IP addresses. last seen 2020-03-17 modified 2014-04-14 plugin id 73486 published 2014-04-14 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73486 title Debian DSA-2902-1 : curl - security update NASL family Fedora Local Security Checks NASL id FEDORA_2014-6921.NASL description - Update to 7.37.0 - Fixes CVE-2014-0138 and CVE-2014-0139 (RHBZ #1080880) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-06-10 plugin id 74408 published 2014-06-10 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74408 title Fedora 19 : mingw-curl-7.37.0-1.fc19 (2014-6921) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201406-21.NASL description The remote host is affected by the vulnerability described in GLSA-201406-21 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could cause a man-in-the-middle attack via a crafted certificate issued by a legitimate certification authority. Furthermore, a context-dependent attacker may be able to bypass security restrictions by connecting as other users. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 76180 published 2014-06-23 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76180 title GLSA-201406-21 : cURL: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2014-6912.NASL description - Update to 7.37.0 - Fixes CVE-2014-0138 and CVE-2014-0139 (RHBZ #1080880) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-06-10 plugin id 74406 published 2014-06-10 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74406 title Fedora 20 : mingw-curl-7.37.0-1.fc20 (2014-6912) NASL family Web Servers NASL id HPSMH_7_2_6.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 90251 published 2016-03-29 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90251 title HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-213.NASL description Updated lftp packages fix security vulnerability : lftp incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). lftp was affected by this issue as it uses code from cURL for checking SSL certificates. The curl package was fixed in MDVSA-2015:098. last seen 2020-06-01 modified 2020-06-02 plugin id 83155 published 2015-04-30 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83155 title Mandriva Linux Security Advisory : lftp (MDVSA-2015:213) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-110.NASL description Updated curl packages fix security vulnerabilities : Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials (CVE-2014-0138). libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). last seen 2020-06-01 modified 2020-06-02 plugin id 74418 published 2014-06-10 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74418 title Mandriva Linux Security Advisory : curl (MDVSA-2014:110) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-329.NASL description This curl update fixes two security issues : - bnc#868627: Fixed wrong re-use of connections (CVE-2014-0138). - bnc#868629: Fixed IP address wildcard certificate validation (CVE-2014-0139). last seen 2020-06-05 modified 2014-06-13 plugin id 75339 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75339 title openSUSE Security Update : curl (openSUSE-SU-2014:0598-1) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2014-086-01.NASL description New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 73247 published 2014-03-31 reporter This script is Copyright (C) 2014 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73247 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : curl (SSA:2014-086-01) NASL family Windows NASL id IBM_RATIONAL_CLEARQUEST_8_0_1_6.NASL description The remote host has a version of IBM Rational ClearQuest 7.1.x prior to 7.1.2.16 / 8.0.0.x prior to 8.0.0.13 / 8.0.1.x prior to 8.0.1.6 installed. It is, therefore, potentially affected by multiple vulnerabilities in third party libraries : - An error exists in the libcURL and OpenSSL libraries related to an IP address that uses a wildcard in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 81784 published 2015-03-12 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81784 title IBM Rational ClearQuest 7.1.x < 7.1.2.16 / 8.0.0.x < 8.0.0.13 / 8.0.1.x < 8.0.1.6 Multiple Vulnerabilities (credentialed check) (POODLE) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1172.NASL description According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.i1/4^CVE-2013-4545i1/4%0 - The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.i1/4^CVE-2013-6422i1/4%0 - cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject last seen 2020-03-19 modified 2019-04-09 plugin id 123858 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123858 title EulerOS Virtualization 2.5.3 : curl (EulerOS-SA-2019-1172) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-098.NASL description Updated curl packages fix security vulnerabilities : Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials (CVE-2014-0138). libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain (CVE-2014-3620). Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence (CVE-2014-3707). When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL (CVE-2014-8150). last seen 2020-06-01 modified 2020-06-02 plugin id 82351 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82351 title Mandriva Linux Security Advisory : curl (MDVSA-2015:098)
References
- http://advisories.mageia.org/MGASA-2015-0165.html
- http://curl.haxx.se/docs/adv_20140326B.html
- http://lists.opensuse.org/opensuse-updates/2014-04/msg00042.html
- http://secunia.com/advisories/57836
- http://secunia.com/advisories/57966
- http://secunia.com/advisories/57968
- http://secunia.com/advisories/58615
- http://secunia.com/advisories/59458
- http://www.debian.org/security/2014/dsa-2902
- http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
- http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
- http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:213
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.ubuntu.com/usn/USN-2167-1
- http://www-01.ibm.com/support/docview.wss?uid=swg21675820
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862