curl and libcurl OCSP Stapling Bypass Vulnerability on Apple Platforms

A vulnerability exists in curl and libcurl when built with an OpenSSL-based backend and used with Apple SecTrust, which accesses the native CA certificate store on Apple operating systems. This vulnerability allows curl to bypass proper verification of OCSP stapling, a feature that ensures server certificates are valid. As a result, connections can be established even when the server fails to provide a necessary OCSP response, contrary to the expected behavior that would abort the connection in such cases.

Impact

Exploitation of this vulnerability leads to an improper validation of server certificates, allowing connections to proceed without the required OCSP verification, potentially accepting invalid or revoked certificates.

Reproduction

The vulnerability can be reproduced by building curl with the OpenSSL option enabled and the Apple SecTrust option activated. After adding a test CA certificate to the macOS Keychain, a server can be started that does not staple OCSP responses. When curl is then run with the 'cert-status' option, it will incorrectly report a successful verification, even though no valid OCSP response was received.

Remediation

Users can upgrade curl and libcurl to version 8.20.0, apply the patch available in the curl GitHub repository, or avoid using OCSP stapling with Apple SecTrust.