CVE-2014-1263

Name of the Vulnerable Software and Affected Versions curl and libcurl versions 7.27.0 through 7.35.0

Description The issue arises when using the SecureTransport/Darwinssl backend, as seen in Apple OS X 10.9.x before 10.9.2, where the server hostname is not verified to match a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This occurs when accessing a URL that uses a numerical IP address, allowing man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. The problem is specific to libcurl built to use the Secure Transport backend, which is the TLS library used on Mac OS X and iOS. The signature and validity verification of the certificate are still performed, but the server's name in the certificate is not verified when the URL is specified with an IP address instead of a name.

Recommendations For curl and libcurl versions 7.27.0 through 7.35.0, consider updating to a version outside of this range to resolve the issue. As a temporary workaround, avoid using libcurl with the Secure Transport backend to access URLs specified with numerical IP addresses until a patch is available. Restrict access to the Secure Transport backend library to minimize the risk of exploitation.