TLS certificate check bypass with mbedTLS

Vulnerability

libcurl, when built with the mbedTLS TLS library, does not perform server certificate verification for TLS connections where the hostname is specified as an IP address. The library incorrectly avoids calling the set hostname function for IP addresses, thereby skipping the certificate check entirely. This affects all TLS protocols (HTTPS, FTPS, IMAPS, POP3S, SMTPS, etc.) in all versions of libcurl using mbedTLS prior to the fix [4].

Exploitation

An attacker with a network position between the client and the server can perform a man-in-the-middle attack. No authentication or user interaction is required. The attacker simply presents any TLS certificate (e.g., self-signed) for the IP address, and because libcurl does not validate it, the connection proceeds without warning.

Impact

Successful exploitation completely bypasses TLS certificate validation, allowing the attacker to intercept, read, and modify encrypted communication. This can lead to disclosure of sensitive information (e.g., credentials, session tokens) and potential further compromise of the affected system.

Mitigation

Users should update to a fixed version of libcurl/curl. The curl project released a security advisory on March 27, 2024, and patches are available. Affected users should upgrade to the latest curl release that includes the fix. No workaround is available besides avoiding the use of IP addresses in URLs or switching to a different TLS backend.