The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of cURL: incorrect certificate check via SChannel/Winssl

Synthesis of the vulnerability

An attacker can deceive Windows cURL users with the SChannel/Winssl backend, in order to trigger a Man-in-the-Middle.
Severity of this announce: 2/4.
Creation date: 17/03/2014.
Revision date: 18/03/2014.
Références of this computer vulnerability: CVE-2014-2522, SSA:2014-086-01, VIGILANCE-VUL-14437.

Description of the vulnerability

The cURL product can be installed on Windows, with the SChannel/Winssl SSL backend.

The cURL client can access to a SSL server by using its IP address, or by using its domain name.

However, when the SChannel/Winssl backend is used, and when cURL connects to a server using its IP address, it does not validate the server certificate.

An attacker can therefore deceive Windows cURL users with the SChannel/Winssl backend, in order to trigger a Man-in-the-Middle.
Full Vigil@nce bulletin... (Free trial)

This computer threat announce impacts software or systems such as curl, Slackware.

Our Vigil@nce team determined that the severity of this computer vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this cybersecurity alert.

Solutions for this threat

cURL: version 7.36.0.
The version 7.36.0 is fixed:
  http://curl.haxx.se/

cURL: patch for SChannel/Winssl.
A patch is available in information sources.

cURL: workaround for SChannel/Winssl.
A workaround is to use the OpenSSL backend instead of schannel.

Slackware: new curl packages.
New packages are available:
  Slackware 13.0: curl 7.36.0-i486-1_slack13.0
  Slackware 13.1: curl 7.36.0-i486-1_slack13.1
  Slackware 13.37: curl 7.36.0-i486-1_slack13.37
  Slackware 14.0: curl 7.36.0-i486-1_slack14.0
  Slackware 14.1: curl 7.36.0-i486-1_slack14.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides computer vulnerability alerts. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.