libcurl Secure Transport SSL backend fails to secure the CURLOPT_SSLCERT
against current directory file overriding the keychain nickname specified.
This leads to the possibility of locally created file overriding the CURLOPT_SSLCERT
specified certificate and thus causing denial of service.
configure --with-secure-transport && make
./src/curl -E testcert https://testsite
touch testcert
./src/curl -E testcert https://testsite
curl: (58) SSL: Can't load the certificate "testcert" and its private key: OSStatus -50
The issue stems from the fact that Secure Transport backend code doesnโt seem to prefer the keychain over the local file. The documentation says that local file should be prefixed with โ./โ when used, but the code doesnโt have any such checks. Interestingly NSS SSL backend does have the check: https://github.com/curl/curl/blob/master/lib/vtls/nss.c#L432
The impact of this vulnerability is rather limited: In practice it seems to be only usable in causing denial of service against applications using keychain client certificates. It could happen in practice for example if executing command in /tmp directory structure or home directory of another user. The user would be able to prevent the app from creating an authenticated connection by creating a file with matching name used for the keychain nickname used by the app.
Denial of service