CVE-2014-8151

Name of the Vulnerable Software and Affected Versions libcurl versions 7.31.0 through 7.39.0

Description The issue arises when libcurl, using the DarwinSSL (also known as SecureTransport) backend for TLS, fails to check if a cached TLS session validated the certificate when reusing the session. This allows man-in-the-middle attackers to spoof servers via a crafted certificate. The problem is specific to libcurl built to use the Secure Transport backend for TLS, affecting Mac and iPhone-based applications. When an application connects to a TLS server with certificate verification disabled, it stores the Session ID in the cache. If a subsequent connection is made against the same host and port number, it reuses the former session from the cache, skipping the certificate check and wrongly accepting any bad certificate that could be presented.

Recommendations For libcurl versions 7.31.0 through 7.39.0, consider disabling the re-use of cached TLS sessions until a patch is available. As a temporary workaround, enable certificate verification using CURLOPT SSL VERIFYHOST and CURLOPT SSL VERIFYPEER to prevent the acceptance of bad certificates. At the moment, there is no information about a newer version that contains a fix for this vulnerability.