CVE-2023-28321 - Improper Certificates Validation Vulnerability in Curl <v8.1.: Affecting Wildcard Matching and IDN Support

A recently discovered vulnerability, CVE-2023-28321, affects the widely used command-line tool for transferring data, curl. Specifically, this vulnerability concerns the version prior to 8.1. and involves improper certificate validation when dealing with wildcard patterns listed as "Subject Alternative Name" in TLS server certificates.

Background

Curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. However, this private wildcard matching function has been found to improperly match IDN (International Domain Name) hosts. Consequently, it could end up accepting patterns that should otherwise be flagged as a mismatch.

Exploit Details

When IDN hostnames are involved, they are first converted to puny code before being used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match. However, the vulnerability in curl's wildcard check would still consider x*, which would then match even though the IDN name most likely contained nothing resembling an x.

To demonstrate this issue, let's consider the following example. Here's a problematic pattern

*.example.com

A certificate with this Subject Alternative Name would cover any subdomain under example.com. However, an IDN subdomain like müller.example.com, when puny-coded, becomes:

xn--mller-kva.example.com

The incorrect wildcard check in curl versions prior to 8.1. will pattern match the above string as if it were:

x*.example.com

This is clearly incorrect, as the puny-coded IDN should not have been allowed to pattern match.

Original References

- curl's advisory on this vulnerability
- Official cURL documentation
- cURL GitHub Repository

Mitigation

To protect your systems from this vulnerability, make sure to update curl to version 8.1. or later, which properly validates certificates and contains a fix for this issue. The latest version of curl can be found on the official cURL GitHub page.

Conclusion

CVE-2023-28321 represents a serious breach in the security protocols of curl

Timeline

Published on: 05/26/2023 21:15:00 UTC
Last modified on: 06/16/2023 19:17:00 UTC