CVE-2024-0853
Haxx
CVE-2024-0853 is a security vulnerability in curl that could allow attackers to bypass SSL certificate verification. This flaw arises because curl incorrectly cached SSL session IDs, even when OCSP stapling verification failed. Subsequent connections to the same hostname could then skip crucial verify status checks. The SVRS score of 52 indicates a moderate risk, but the presence of the 'In The Wild' tag suggests potential exploitation. This certificate bypass could lead to man-in-the-middle attacks and compromised data. While the CVSS score might appear moderate, the potential for exploitation in real-world scenarios makes addressing CVE-2024-0853 important for systems using affected versions of curl. The CWE-295 classification further emphasizes the issue stemming from improper certificate validation.
Description:
CVE-2024-0853 is a vulnerability in curl, a command-line tool and library for transferring data over a network. The vulnerability allows an attacker to bypass the SSL verification process and establish a connection to a server that is not trusted. This could allow an attacker to intercept and modify data that is being transferred between the client and the server. The SVRS for this vulnerability is 44, indicating a moderate risk.
Key Insights:
- The vulnerability is caused by a flaw in the way curl handles SSL session IDs. When curl connects to a server, it stores the SSL session ID in a cache. If the connection is successful, curl will use the cached session ID for subsequent connections to the same server. However, if the connection fails, curl will not remove the session ID from the cache. This means that an attacker could potentially use a previously cached session ID to connect to a server, even if the server's certificate has been revoked or compromised.
- The vulnerability could allow an attacker to impersonate a legitimate server and intercept data that is being transferred between the client and the server. This could allow the attacker to steal sensitive information, such as passwords or credit card numbers.
- The vulnerability is particularly dangerous because it can be exploited without the user's knowledge. An attacker could simply send a malicious link to a victim, and if the victim clicks on the link, the attacker could potentially exploit the vulnerability to gain access to the victim's computer.
Mitigation Strategies:
- Update curl to the latest version. The latest version of curl (7.87.0) fixes the vulnerability. Users should update to the latest version as soon as possible.
- Disable SSL session caching. Users can disable SSL session caching by setting the CURLOPT_SSL_SESSIONID_CACHE option to false. This will prevent curl from caching SSL session IDs, which will make it more difficult for an attacker to exploit the vulnerability.
- Use a firewall to block connections to untrusted servers. Users can use a firewall to block connections to untrusted servers. This will help to prevent attackers from exploiting the vulnerability to gain access to the user's computer.
Additional Information:
- The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the vulnerability, calling for immediate and necessary measures.
- There are active exploits for the vulnerability. Attackers are actively exploiting the vulnerability to target organizations.
- Users who have additional queries regarding this incident can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.
Indicators of Compromise
Exploits
News
Social Media
Affected Software
References
CWE Details
CVE Radar
Real-time CVE Intelligence & Vulnerability Management Platform
CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.