{“lastseen”:”2025-10-09T06:25:44″,”description”:”## Summary:\\nWhen libcurl is built with USE_APPLE_SECTRUST and runs on Apple OS versions that lack SecTrustEvaluateWithError (macOS \\u003c10.14 \/ iOS \\u003c12), the legacy verification path miscompares OSStatus to SecTrustResultType and never checks the SecTrust result. This can cause untrusted certificates to be accepted.\\n\\n[Statement clarifying if an AI was used to find the issue or generate the report]\\nThis report was prepared with assistance from an AI code analysis tool; the core diagnosis and scope were validated by a combination of classical software, manual inspection of the code, and AI.\\n\\n## Affected version\\nReproduced on current master (as of 2025\u201110\u201107). Affects builds that enable `USE_APPLE_SECTRUST` and run on macOS \\u003c10.14 \/ iOS \\u003c12. The defect is in `lib\/vtls\/apple.c` and is independent of the TLS backend choice (it is reached via OpenSSL or GnuTLS when the native CA store is used).\\n\\n## Steps To Reproduce:\\n\\n### Code Verification (Any modern macOS):\\n\\n1. Inspect the vulnerable code in `lib\/vtls\/apple.c` lines 263-275\\n2. Observe the type confusion: `status` (OSStatus) is compared to `kSecTrustResultType` enum values\\n3. Create test program demonstrating the logic bug (see verification artifacts)\\n4. Create untrusted certificate and verify system curl rejects it\\n\\n### Runtime Exploitation (Requires macOS \\u003c10.14 or iOS \\u003c12):\\n\\n**Note:** This requires an actual legacy system. Building with \\n`-DCMAKE_OSX_DEPLOYMENT_TARGET=10.13` on modern macOS will NOT trigger \\nthe bug at runtime due to `__builtin_available` checks.\\n\\n1. On a system running macOS 10.13.6 (High Sierra) or earlier, build curl:\\n “`\\n cmake -DUSE_APPLE_SECTRUST=ON -DCURL_USE_OPENSSL=ON \\\\\\n -DCMAKE_BUILD_TYPE=Release ..\\n “`\\n\\n2. Create untrusted certificates (as described)\\n\\n3. Start test server: `openssl s_server -accept 8443 -www -key leaf.key -cert leaf.pem`\\n\\n4. Test: `.\/src\/curl -v https:\/\/localhost:8443\/`\\n – **Expected secure behavior:** Connection rejected\\n – **Actual buggy behavior:** Connection succeeds\\n\\n### Alternative Verification Without Legacy Hardware:\\n\\nSince the bug is a clear logic error (comparing wrong variable), it can be \\nconfirmed through:\\n- Static code analysis (lines 270-271 compare `status` instead of `sec_result`)\\n- Logic demonstration (status=0 never equals kSecTrustResultUnspecified=4)\\n- The fact that `result` remains `CURLE_OK` when the conditions fail\\n\\n## Supporting Material\/References:\\n\\nProblematic code (legacy fallback uses SecTrustEvaluate; compares `status` to SecTrustResultType instead of checking `sec_result`):\\n\\n“`263:275:lib\/vtls\/apple.c\\n#ifndef REQUIRES_SecTrustEvaluateWithError\\nSecTrustResultType sec_result;\\nstatus = SecTrustEvaluate(trust, \\u0026sec_result);\\n\\nif(status != noErr) {\\n failf(data, \\”Apple SecTrust verification failed: error %i\\”, (int)status);\\n}\\nelse if((status == kSecTrustResultUnspecified) ||\\n (status == kSecTrustResultProceed)) {\\n \/* \\”unspecified\\” means system-trusted with no explicit user setting *\/\\n result = CURLE_OK;\\n}\\n#endif \/* REQUIRES_SecTrustEvaluateWithError *\/\\n“`\\n\\nCorrect modern code path (only available on 10.14+\/iOS 12+):\\n“`238:240:lib\/vtls\/apple.c\\nresult = SecTrustEvaluateWithError(trust, \\u0026error) ?\\n CURLE_OK : CURLE_PEER_FAILED_VERIFICATION;\\n“`\\n\\nBehavioral gates where Apple SecTrust verification is invoked:\\n- OpenSSL:\\n“`5165:5177:lib\/vtls\/openssl.c\\nif(!verified \\u0026\\u0026\\n conn_config-\\u003everifypeer \\u0026\\u0026 ssl_config-\\u003enative_ca_store \\u0026\\u0026\\n (ossl_verify == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {\\n result = ossl_apple_verify(…, \\u0026verified);\\n …\\n}\\n“`\\n- GnuTLS:\\n“`1666:1676:lib\/vtls\/gtls.c\\nif(!verified \\u0026\\u0026 ssl_config-\\u003enative_ca_store \\u0026\\u0026\\n (verify_status \\u0026 GNUTLS_CERT_SIGNER_NOT_FOUND)) {\\n result = glts_apple_verify(…, \\u0026verified);\\n …\\n}\\n“`\\n“`\\n\\n## Impact\\n\\n## Summary:\\nOn affected configurations (USE_APPLE_SECTRUST builds running on pre\u201110.14 Apple OS with native CA verification engaged), an attacker can bypass TLS certificate validation. This enables Man\u2011in\u2011the\u2011Middle interception, compromising confidentiality and integrity of HTTPS and other TLS\u2011protected transfers.\\n\\nScope caveats:\\n- Feature is compile\u2011time gated (`USE_APPLE_SECTRUST`) and off by default in CMake.\\n- Runtime reachability depends on backend conditions (OpenSSL \u201cunable to get local issuer certificate\u201d or GnuTLS \u201csigner not found\u201d).\\n- The bug only affects older Apple OS versions that lack `SecTrustEvaluateWithError`; modern Apple OS uses the correct code path.”,”published”:”2025-10-07T15:37:19″,”modified”:”2025-10-09T06:22:03″,”type”:”hackerone”,”title”:”curl: Apple SecTrust legacy path accepts untrusted certificates on pre-10.14 macOS\/iOS when built with USE_APPLE_SECTRUST”,”source”:””,”references”:””,”id”:”H1:3374554″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3374554″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-09T06:25:44″,”description”:”## Summary:\\nWhen libcurl is built with USE_APPLE_SECTRUST and runs on Apple OS versions that lack SecTrustEvaluateWithError (macOS \\u003c10.14 \/ iOS \\u003c12), the legacy verification path…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-20778","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n