CVE-2017-7468

Vulnerability

In curl and libcurl versions 7.52.0 through 7.53.1, libcurl incorrectly attempts to resume a TLS session (using session IDs or tickets) even when the client certificate has changed [1][2]. This is a regression of CVE-2016-5419 and reintroduces the flaw due to TLS code rearrangement for HTTPS proxy support [1]. The issue affects any application using libcurl with client certificates and TLS session resumption enabled.

Exploitation

An attacker can exploit this flaw by controlling a server that the libcurl client connects to, or by inducing the client to change its client certificate between connections to the same server. If the server honors session resumption and skips client certificate verification on resume, the attacker (as client) could authenticate using an old or no certificate, effectively bypassing the intended client certificate authentication [1][2]. The flaw requires that the client uses client certificates and the server allows session resumption.

Impact

Successful exploitation results in authentication bypass. An attacker may gain access to resources or services that require client certificate authentication, potentially impersonating a previously authenticated client [1]. The confidentiality, integrity, or availability of affected systems could be compromised depending on the accessed resources.

Mitigation

Upgrade to curl version 7.54.0 or later, which disables TLS session resumption when a client certificate is used [1]. Patches are available (commit 33cfcfd9f0378625d3bddbd2) [1]. Gentoo users should upgrade to net-misc/curl-7.55.1 or later [3]. No other workarounds are known.