ID CVE-2013-4545
Summary cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References
Vulnerable Configurations
  • Haxx Curl 7.31.0
    cpe:2.3:a:haxx:curl:7.31.0
  • Haxx Curl 7.32.0
    cpe:2.3:a:haxx:curl:7.32.0
  • Haxx Curl 7.18.2
    cpe:2.3:a:haxx:curl:7.18.2
  • Haxx Curl 7.18.1
    cpe:2.3:a:haxx:curl:7.18.1
  • Haxx Curl 7.18.0
    cpe:2.3:a:haxx:curl:7.18.0
  • Haxx Curl 7.19.1
    cpe:2.3:a:haxx:curl:7.19.1
  • Haxx Curl 7.19.0
    cpe:2.3:a:haxx:curl:7.19.0
  • Haxx Curl 7.19.6
    cpe:2.3:a:haxx:curl:7.19.6
  • Haxx Curl 7.19.7
    cpe:2.3:a:haxx:curl:7.19.7
  • Haxx Curl 7.19.4
    cpe:2.3:a:haxx:curl:7.19.4
  • Haxx Curl 7.19.5
    cpe:2.3:a:haxx:curl:7.19.5
  • Haxx Curl 7.19.2
    cpe:2.3:a:haxx:curl:7.19.2
  • Haxx Curl 7.19.3
    cpe:2.3:a:haxx:curl:7.19.3
  • Haxx Curl 7.20.0
    cpe:2.3:a:haxx:curl:7.20.0
  • Haxx Curl 7.20.1
    cpe:2.3:a:haxx:curl:7.20.1
  • Haxx Curl 7.21.6
    cpe:2.3:a:haxx:curl:7.21.6
  • Haxx Curl 7.21.7
    cpe:2.3:a:haxx:curl:7.21.7
  • Haxx Curl 7.21.4
    cpe:2.3:a:haxx:curl:7.21.4
  • Haxx Curl 7.21.5
    cpe:2.3:a:haxx:curl:7.21.5
  • Haxx Curl 7.21.2
    cpe:2.3:a:haxx:curl:7.21.2
  • Haxx Curl 7.21.3
    cpe:2.3:a:haxx:curl:7.21.3
  • Haxx Curl 7.21.0
    cpe:2.3:a:haxx:curl:7.21.0
  • Haxx Curl 7.21.1
    cpe:2.3:a:haxx:curl:7.21.1
  • Haxx Curl 7.22.0
    cpe:2.3:a:haxx:curl:7.22.0
  • Haxx Curl 7.23.0
    cpe:2.3:a:haxx:curl:7.23.0
  • Haxx Curl 7.23.1
    cpe:2.3:a:haxx:curl:7.23.1
  • Haxx Curl 7.24.0
    cpe:2.3:a:haxx:curl:7.24.0
  • Haxx Curl 7.25.0
    cpe:2.3:a:haxx:curl:7.25.0
  • Haxx Curl 7.26.0
    cpe:2.3:a:haxx:curl:7.26.0
  • Haxx Curl 7.27.0
    cpe:2.3:a:haxx:curl:7.27.0
  • Haxx Curl 7.28.1
    cpe:2.3:a:haxx:curl:7.28.1
  • Haxx Curl 7.28.0
    cpe:2.3:a:haxx:curl:7.28.0
  • Haxx Curl 7.29.0
    cpe:2.3:a:haxx:curl:7.29.0
  • Haxx Curl 7.30.0
    cpe:2.3:a:haxx:curl:7.30.0
  • Haxx libcurl 7.31.0
    cpe:2.3:a:haxx:libcurl:7.31.0
  • Haxx libcurl 7.32.0
    cpe:2.3:a:haxx:libcurl:7.32.0
  • Haxx libcurl 7.18.0
    cpe:2.3:a:haxx:libcurl:7.18.0
  • Haxx libcurl 7.18.1
    cpe:2.3:a:haxx:libcurl:7.18.1
  • Haxx libcurl 7.18.2
    cpe:2.3:a:haxx:libcurl:7.18.2
  • Haxx libcurl 7.19.0
    cpe:2.3:a:haxx:libcurl:7.19.0
  • Haxx libcurl 7.19.1
    cpe:2.3:a:haxx:libcurl:7.19.1
  • Haxx libcurl 7.19.2
    cpe:2.3:a:haxx:libcurl:7.19.2
  • Haxx libcurl 7.19.3
    cpe:2.3:a:haxx:libcurl:7.19.3
  • Haxx libcurl 7.19.4
    cpe:2.3:a:haxx:libcurl:7.19.4
  • Haxx libcurl 7.19.5
    cpe:2.3:a:haxx:libcurl:7.19.5
  • Haxx libcurl 7.19.6
    cpe:2.3:a:haxx:libcurl:7.19.6
  • Haxx libcurl 7.19.7
    cpe:2.3:a:haxx:libcurl:7.19.7
  • Haxx libcurl 7.20.0
    cpe:2.3:a:haxx:libcurl:7.20.0
  • Haxx libcurl 7.20.1
    cpe:2.3:a:haxx:libcurl:7.20.1
  • Haxx libcurl 7.21.0
    cpe:2.3:a:haxx:libcurl:7.21.0
  • Haxx libcurl 7.21.1
    cpe:2.3:a:haxx:libcurl:7.21.1
  • Haxx libcurl 7.21.2
    cpe:2.3:a:haxx:libcurl:7.21.2
  • Haxx libcurl 7.21.3
    cpe:2.3:a:haxx:libcurl:7.21.3
  • Haxx libcurl 7.21.4
    cpe:2.3:a:haxx:libcurl:7.21.4
  • Haxx libcurl 7.21.5
    cpe:2.3:a:haxx:libcurl:7.21.5
  • Haxx libcurl 7.21.6
    cpe:2.3:a:haxx:libcurl:7.21.6
  • Haxx libcurl 7.21.7
    cpe:2.3:a:haxx:libcurl:7.21.7
  • Haxx libcurl 7.22.0
    cpe:2.3:a:haxx:libcurl:7.22.0
  • Haxx libcurl 7.23.0
    cpe:2.3:a:haxx:libcurl:7.23.0
  • Haxx libcurl 7.23.1
    cpe:2.3:a:haxx:libcurl:7.23.1
  • Haxx libcurl 7.24.0
    cpe:2.3:a:haxx:libcurl:7.24.0
  • Haxx libcurl 7.25.0
    cpe:2.3:a:haxx:libcurl:7.25.0
  • Haxx libcurl 7.26.0
    cpe:2.3:a:haxx:libcurl:7.26.0
  • Haxx libcurl 7.27.0
    cpe:2.3:a:haxx:libcurl:7.27.0
  • Haxx libcurl 7.28.0
    cpe:2.3:a:haxx:libcurl:7.28.0
  • Haxx libcurl 7.28.1
    cpe:2.3:a:haxx:libcurl:7.28.1
  • Haxx libcurl 7.29.0
    cpe:2.3:a:haxx:libcurl:7.29.0
  • Haxx libcurl 7.30.0
    cpe:2.3:a:haxx:libcurl:7.30.0
CVSS
Base: 4.3 (as of 25-11-2013 - 11:19)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-22046.NASL
    description - Update to 7.33.0 - Fixes CVE-2013-4545, RHBZ #1031429 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 71406
    published 2013-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71406
    title Fedora 20 : mingw-curl-7.33.0-1.fc20 (2013-22046)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-21887.NASL
    description - Update to 7.33.0 - Fixes CVE-2013-4545, RHBZ #1031429 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 71151
    published 2013-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71151
    title Fedora 19 : mingw-curl-7.33.0-1.fc19 (2013-21887)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0004-1.NASL
    description This update fixes the following security issues with curl : - bnc#849596: ssl cert checks with unclear behaviour (CVE-2013-4545) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83606
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83606
    title SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2014:0004-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-276.NASL
    description Updated curl packages fix security vulnerability : Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain (CVE-2013-4545).
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 71030
    published 2013-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71030
    title Mandriva Linux Security Advisory : curl (MDVSA-2013:276)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2048-1.NASL
    description Scott Cantor discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 71244
    published 2013-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71244
    title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : curl vulnerability (USN-2048-1)
  • NASL family Web Servers
    NASL id GLASSFISH_CPU_APR_2015.NASL
    description The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities : - A flaw exists in the bundled cURL and libcurl packages. The certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) is disabled when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled. This allows a man-in-the-middle attacker to spoof SSL servers via an arbitrary valid certificate. (CVE-2013-4545) - A flaw exists in the bundled Network Security Services (NSS) library due to improper parsing of ASN.1 values in X.509 certificates. This allows a man-in-the-middle attacker to spoof RSA signatures via a crafted certificate. (CVE-2014-1568) - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82902
    published 2015-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82902
    title Oracle GlassFish Server Multiple Vulnerabilities (April 2015 CPU) (POODLE)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_LIBCURL_20140415.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. (CVE-2013-1944) - Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a '%' (percent) character. (CVE-2013-2174) - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2013-4545) - cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. (CVE-2014-0015)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80662
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80662
    title Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2798.NASL
    description Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain. The default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 70985
    published 2013-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70985
    title Debian DSA-2798-1 : curl - unchecked ssl certificate host name
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_CURL-131204.NASL
    description This update fixes the following security issues with curl : - ssl cert checks with unclear behaviour (CVE-2013-4545). (bnc#849596)
    last seen 2018-09-01
    modified 2014-01-03
    plugin id 71786
    published 2014-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71786
    title SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8617 / 8621)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-964.NASL
    description This update fixes the following security issues with curl : - fix CVE-2013-4545 (bnc#849596) = acknowledge VERIFYHOST without VERIFYPEER
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75228
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75228
    title openSUSE Security Update : curl (openSUSE-SU-2013:1859-1)
  • NASL family Web Servers
    NASL id HPSMH_7_4.NASL
    description According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is affected by the following vulnerabilities : - A flaw exists within the included cURL that disables the 'CURLOPT_SSLVERIFYHOST' check when the setting on 'CURLOPT_SSL_VERIFYPEER' is disabled. This can allow a remote attacker to disable SSL certificate host name checks. (CVE-2013-4545) - A flaw exists in the included PHP 'openssl_x509_parse' function due to user input not being properly sanitized. Using a specially crafted certificate, a remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2013-6420) - A flaw exists within the included cURL where the verification check for the CN and SAN name fields is skipped due to the digital signature verification being disabled. A remote attacker can exploit this to spoof servers or conduct a man-in-the-middle attack. (CVE-2013-6422) - A flaw exists in the scan function within the included PHP 'ext/date/lib/parse_iso_intervals.c' script where user input is not properly sanitized. This can allow a remote attacker to cause a denial of service using a heap-based buffer overflow. (CVE-2013-6712) - An unspecified cross-site scripting flaw exists which can allow a remote attacker, using a specially crafted request, to execute arbitrary code within the browser / server trust relationship. (CVE-2014-2640) - An unspecified cross-site request forgery vulnerability exists. (CVE-2014-2641) - An unspecified vulnerability exists that can allow a remote attacker to conduct clickjacking attacks. (CVE-2014-2642)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 78090
    published 2014-10-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78090
    title HP System Management Homepage < 7.4 Multiple Vulnerabilities
refmap via4
confirm
debian DSA-2798
hp HPSBMU03112
suse
  • openSUSE-SU-2013:1859
  • openSUSE-SU-2013:1865
ubuntu USN-2048-1
Last major update 16-06-2016 - 21:59
Published 23-11-2013 - 06:55
Back to Top