Bugzilla – Bug 1211232
VUL-0: CVE-2023-28321: curl: IDN wildcard match
Last modified: 2024-04-15 15:07:22 UTC
CVE-2023-28321: IDN wildcard match ================================== Project curl Security Advisory, May 17th 2023 - [Permalink](https://curl.se/docs/CVE-2023-28321.html) VULNERABILITY ------------- curl supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`. INFO ---- curl's wildcard matching function is used only when curl was built to use OpenSSL, Schannel or Gskit. All other backends use the matching functions of the corresponding TLS library and are thus not vulnerable to this flaw. This flaw is lessened somewhat by two factors: - Certificates issues by CAs for the public Internet are not allowed to use "partial" wildcards, thus completely avoiding this issue. - In many circumstances, the control of host names used and the wildcards used in issued certificates are controlled by the same entity, making this unlikely to actually become a problem. curl does not need to be built with IDN support to be vulnerable, as a user can pass in a puny coded version of the host name directly in the URL and can then trigger this flaw. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-28321 to this issue. CWE-295: Improper Certificate Validation Severity: Low AFFECTED VERSIONS ----------------- This bug was introduced in curl when IDN support was first introduced, in curl 7.12.0 - June 2004. The wildcard function was subsequently updated for this case in 2012 (the IDN problem is mentioned in RFC 6125 in a far from obvious way) but was done wrongly, so the flaw remained. - Affected versions: curl 7.12.0 to and including 8.0.1 - Not affected versions: curl < 7.12.0 and curl >= 8.1.0 - Introduced-in: https://github.com/curl/curl/commit/9631fa740708b1890197fad libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ curl 8.1.0 completely removes the support for "partial" patches and now only supports `*.`. No `a*`, `a*b` or `*b` matches. For all host names, IDN or not. - Fixed-in: https://github.com/curl/curl/commit/199f2d440d8659b42 RECOMMENDATIONS -------------- A - Upgrade curl to version 8.1.0 B - Apply the patch to your local version TIMELINE -------- This issue was reported to the curl project on April 17 2023. We contacted distros@openwall on May 9, 2023. curl 8.1.0 was released on May 17 2023, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Hiroki Kurosawa - Patched-by: Daniel Stenberg
Affected: - SUSE:SLE-11-SP3:Update - SUSE:SLE-12-SP4:Update - SUSE:SLE-12-SP5:Update - SUSE:SLE-12:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15-SP4:Update - SUSE:SLE-15:Update - openSUSE:Factory
SUSE-SU-2023:2226-1: An update that solves 10 vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1206309, 1207992, 1209209, 1209210, 1209211, 1209212, 1209214, 1211231, 1211232, 1211233, 1211339 CVE References: CVE-2022-43552, CVE-2023-23916, CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27538, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): curl-7.60.0-150000.51.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): curl-7.60.0-150000.51.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): curl-7.60.0-150000.51.1 SUSE Enterprise Storage 6 (src): curl-7.60.0-150000.51.1 SUSE CaaS Platform 4.0 (src): curl-7.60.0-150000.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2225-1: An update that solves five vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1198608, 1211230, 1211231, 1211232, 1211233 CVE References: CVE-2022-27774, CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322 Jira References: PED-2580 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): curl-8.0.1-11.65.2 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): curl-8.0.1-11.65.2 SUSE Linux Enterprise Server 12 SP5 (src): curl-8.0.1-11.65.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): curl-8.0.1-11.65.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2224-1: An update that solves four vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1211230, 1211231, 1211232, 1211233 CVE References: CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322 Jira References: PED-2580 Sources used: openSUSE Leap Micro 5.3 (src): curl-8.0.1-150400.5.23.1 openSUSE Leap 15.4 (src): curl-8.0.1-150400.5.23.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): curl-8.0.1-150400.5.23.1 SUSE Linux Enterprise Micro 5.3 (src): curl-8.0.1-150400.5.23.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): curl-8.0.1-150400.5.23.1 SUSE Linux Enterprise Micro 5.4 (src): curl-8.0.1-150400.5.23.1 Basesystem Module 15-SP4 (src): curl-8.0.1-150400.5.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2230-1: An update that solves three vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1211231, 1211232, 1211233, 1211339 CVE References: CVE-2023-28320, CVE-2023-28321, CVE-2023-28322 Sources used: SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): curl-7.37.0-37.98.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2228-1: An update that solves 10 vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1206309, 1207992, 1209209, 1209210, 1209211, 1209212, 1209214, 1211231, 1211232, 1211233, 1211339 CVE References: CVE-2022-43552, CVE-2023-23916, CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27538, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322 Sources used: SUSE OpenStack Cloud 9 (src): curl-7.60.0-4.56.1 SUSE OpenStack Cloud Crowbar 9 (src): curl-7.60.0-4.56.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): curl-7.60.0-4.56.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): curl-7.60.0-4.56.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): curl-7.60.0-4.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2227-1: An update that solves three vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1211231, 1211232, 1211233, 1211339 CVE References: CVE-2023-28320, CVE-2023-28321, CVE-2023-28322 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Real Time 15 SP3 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): curl-7.66.0-150200.4.57.1 SUSE Manager Proxy 4.2 (src): curl-7.66.0-150200.4.57.1 SUSE Manager Retail Branch Server 4.2 (src): curl-7.66.0-150200.4.57.1 SUSE Manager Server 4.2 (src): curl-7.66.0-150200.4.57.1 SUSE Enterprise Storage 7.1 (src): curl-7.66.0-150200.4.57.1 SUSE Enterprise Storage 7 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Micro 5.1 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Micro 5.2 (src): curl-7.66.0-150200.4.57.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): curl-7.66.0-150200.4.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2224-2: An update that solves four vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1211230, 1211231, 1211232, 1211233 CVE References: CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322 Jira References: PED-2580 Sources used: openSUSE Leap 15.5 (src): curl-8.0.1-150400.5.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
releasesd