CVE-2024-56521 - Vulnerability in TCPDF versions older than 6.8.: Unsafe CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER settings with libcurl

CVE-2024-56521 is a security vulnerability discovered in the TCPDF library versions prior to 6.8., which affects the way libcurl communicates with servers via HTTPS. This vulnerability allows a Man-in-the-Middle (MiTM) attack that compromises the confidentiality and integrity of data being transferred between the client using TCPDF and the remote server. This post will discuss the details of the vulnerability, include code snippets to demonstrate the issue, link to original references, and provide information on how the exploit can occur.

The vulnerability details

TCPDF is a widely used PHP library for generating PDF documents on-the-fly. The vulnerability exists in the way TCPDF interacts with libcurl when making HTTPS requests. Specifically, the CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER settings are not properly set when using libcurl, leading to insecure communication.

According to the official libcurl documentation, the CURLOPT_SSL_VERIFYHOST setting should always be set to 2, and CURLOPT_SSL_VERIFYPEER should be set to true when making secure HTTPS requests. In TCPDF versions before 6.8., these settings are not properly set, which means the hostname is not verified against the certificate, and the certificate is not checked against trusted certificate authorities (CAs). This poses a significant security risk, as MiTM attacks can be easily executed to intercept or alter the data being transferred.

In the vulnerable versions of TCPDF, you will find something like this

<?php
// ...
$ch = curl_init(); // Initialize a cURL session
curl_setopt($ch, CURLOPT_URL, $url); // Set the URL
curl_setopt($ch, CURLOPT_HEADER, ); // Exclude header in output
// ...

if ($this->disablessl) {
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, );
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, );
}
// ...
?>

As you can see in the above code snippet, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are set to when $this->disablessl is true. This completely disables SSL certificate verification and hostname verification.

The proper and secure way to set these options is as follows

<?php
// ...
$ch = curl_init(); // Initialize a cURL session
curl_setopt($ch, CURLOPT_URL, $url); // Set the URL
curl_setopt($ch, CURLOPT_HEADER, ); // Exclude header in output
// ...

// Set secure SSL options
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

// ...
?>

The vulnerability was initially reported by the National Vulnerability Database (NVD) here

https://nvd.nist.gov/vuln/detail/CVE-2024-56521

The official TCPDF repository can be found here

https://github.com/tecnickcom/TCPDF

Exploit details

To exploit this vulnerability, an attacker can perform a MiTM attack by intercepting the traffic between the client using the vulnerable version of TCPDF and the remote server. This can be achieved through various techniques, such as ARP poisoning, DNS spoofing, or exploiting weak Wi-Fi encryption. Once the attacker is in the middle of the communication, they can present a fake SSL certificate to the client, which will not be properly verified due to the aforementioned insecure settings. This allows the attacker to sniff or modify the data being transferred between the client and the server, potentially leading to unauthorized access, sensitive information disclosure, or data tampering.

Solution

To protect your applications from this vulnerability, it is highly recommended to update the TCPDF library to version 6.8. or later, which has already fixed the issue by properly setting CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER. Additionally, it is essential to ensure that your application uses the library in a secure manner, including the use of strong SSL certificates, proper hostname verification, and secure server configurations.

Timeline

Published on: 12/27/2024 05:15:07 UTC
Last modified on: 02/18/2025 22:15:13 UTC