4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
26.6%
A user may invoke the curl command line utility with an IP address literal in the URL, such as
https://192.168.124.2/...
If the HTTPS server presents a certificate whose Common Name matches this IP address literal as a string (that is, Common Name is the ASCII string 192.168.124.2
), then curl accepts the certificate (assuming it is properly signed by a trusted CA).
This is wrong. Per RFC-2818, section 3.1. Server Identity:
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
That is, if the user-specified URL contains an IPv4 or IPv6 address literal, then the server certificate may only match the URL if the certificate contains the same numeric IP address in the SAN, as a GEN_IP
entry.
Curl should first attempt X509_VERIFY_PARAM_set_ip_asc()
, and call X509_VERIFY_PARAM_set1_host()
only if the former fails.
genkey
utility, specifying the server’s IPv4 or IPv6 address on the command line / in the Common Name field. (My genkey
is from crypto-utils-2.4.1-42.el7.x86_64
.)curl
trust the local CA.mod_ssl
such that it listen on the IPv4 or IPv6 address in question.https
scheme, and the IP address.This issue with curl popped up while discussing the edk2 patch series mitigating CVE-2019-14553:
https://bugzilla.tianocore.org/show_bug.cgi?id=960
http://mid.mail-archive.com/[email protected]
I’m not sure this problem can be used for an attack. It’s just that string representations of IP addresses are not unique. URL to Subject Name matching should use canonical representations only.
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
26.6%