Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  2. ZBX-5924

Possible security issue due to misuse of the libcurl API


      Alessandro Ghedini on behalf of Debian security team kindly shared his concerns regarding the following:

      We recently discovered that zabbix is using the libcurl API in a way that may not be what the original author intended.
      In particular I'm referring to the fact that the CURLOPT_SSL_VERIFYHOST option is treated as it was a boolean value
      while in fact it isn't (it may take three different values):

      From the file "src/libs/zbxmedia/eztexting.c":

      if (CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_USERAGENT, "Zabbix " ZABBIX_VERSION)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_FOLLOWLOCATION, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_WRITEFUNCTION, WRITEFUNCTION2)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_HEADERFUNCTION, HEADERFUNCTION2)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYPEER, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYHOST, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POSTFIELDS, postfields)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POST, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_URL, EZ_TEXTING_API_URL)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_TIMEOUT, (long)EZ_TEXTING_TIMEOUT)))

      { zbx_snprintf(error, max_error_len, "Could not set cURL option %d: [%s]", opt, curl_easy_strerror(err)); goto clean; }

      Setting the value to "1" does not enable the host checks (well, not all of them)
      and this may lead to security issues. The correct value to enable all the security checks is "2".

      From the libcurl documentation:

      > When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate
      > that the server is the server to which you meant to connect, or the
      > connection fails.
      > Curl considers the server the intended one when the Common Name
      > field or a Subject Alternate Name field in the certificate matches
      > the host name in the URL to which you told Curl to connect.
      > When the value is 1, the certificate must contain a Common Name
      > field, but it doesn't matter what name it says. (This is not
      > ordinarily a useful setting).
      > When the value is 0, the connection succeeds regardless of the
      > names in the certificate.

      Note that this should be fixed anyway, since as of curl v7.28.1 the value "1" is not a valid value
      anymore and libcurl will return an error.

            wiper Andris Zeila
            onlyjob Onlyjob
            2 Vote for this issue
            5 Start watching this issue