CVE-2024-2466: 
cURL vulnerability analysis and mitigation

libcurl, when built to use mbedTLS, contained a vulnerability (CVE-2024-2466) where it failed to check server certificates for TLS connections made to hosts specified as IP addresses. The vulnerability affects versions 8.5.0 to 8.6.0, impacting all TLS protocols including HTTPS, FTPS, IMAPS, POPS3, and SMTPS. This security flaw was discovered on March 14, 2024, and was fixed with the release of curl 8.7.0 on March 27, 2024 (Curl Advisory).

The vulnerability occurs because libcurl wrongly avoided using the set hostname function when the specified hostname was given as an IP address, resulting in completely skipped certificate checks. Since the SNI field is not set when using a hostname set as an IP address, many requests fail to communicate with the correct endpoint or get the correct data. This vulnerability is similar to a past curl vulnerability identified as CVE-2016-3739. The issue has been assigned CWE-297: Improper Validation of Certificate with Host Mismatch, with a CVSS 3.1 Base Score of 6.5 (Medium) (NVD, Curl Advisory).

The vulnerability could lead to addition or modification of data in affected systems. The impact is somewhat lessened because many requests fail to communicate with the correct endpoint due to the missing SNI field. Additionally, not all versions of mbedTLS support server certificate checks for IP addresses, which means that when this issue is fixed, all attempts to connect directly to an IP address over TLS might fail (Curl Advisory, NetApp Advisory).

Three recommended actions are provided in order of preference: 1) Upgrade curl and libcurl to version 8.7.0 or later, 2) Apply the patch to your version and rebuild, or 3) Build libcurl with another TLS backend. The vulnerability was fixed in curl 8.7.0, released on March 27, 2024 (Curl Advisory).