CVE-2014-1263 : curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl

curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Published 2014-02-27 01:55:04

Updated 2025-04-12 10:46:41

Source Apple Inc.

View at NVD, CVE.org

Products affected by CVE-2014-1263

Apple » Mac Os X
Versions up to, including, (<=) 10.9.1
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Matching versions
Apple » Mac Os X » Version: 10.9
cpe:2.3:o:apple:mac_os_x:10.9:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2014-1263

Top countries where our scanners detected CVE-2014-1263

Top open port discovered on systems with this issue 548

IPs affected by CVE-2014-1263 114

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2014-1263!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2014-1263

EPSS FAQ

5.85%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-1263

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-1263

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-1263

https://gist.github.com/rmoriz/fb2b0a6a0ce10550ab73

gist:fb2b0a6a0ce10550ab73 · GitHub
Exploit
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

Enterprise Chef 11.1.3 Release - Chef Blog

CVEs referencing this url
http://twitter.com/okoeroo/statuses/437272014043496449

Oscar Koeroo on Twitter: "Link to curl code: https://t.co/Bz3f52KgjB and SSLSetPeerDomainName() only allows an FQDN: https://t.co/8KO7DmayCT"
Exploit
http://secunia.com/advisories/57968

Sign in

CVEs referencing this url
http://twitter.com/agl__/statuses/437029812046422016

Adam Langley on Twitter: "So curl on the OS X command line will accept https://IP without correct checks, but I must be missing something if this is a big problem."
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

Chef Server 11.0.12 Release - Chef Blog

CVEs referencing this url
http://secunia.com/advisories/57836

Sign in

CVEs referencing this url
http://support.apple.com/kb/HT6150

About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001 - Apple Support
Vendor Advisory

CVEs referencing this url
http://secunia.com/advisories/57966

Sign in

CVEs referencing this url
http://curl.haxx.se/docs/adv_20140326C.html

curl - not verifying certs for TLS to IP address / Darwinssl - CVE-2014-1263
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

Enterprise Chef 1.4.9 Release - Chef Blog

CVEs referencing this url