On October 5, 2023 [3] [4] [5], Daniel Stenberg [1] [3] [4], the maintainer and original author of curl [1], issued an advisory regarding two security vulnerabilities found in the curl library. This article provides a detailed description of the vulnerabilities and offers recommendations for organizations to mitigate the risks.

Description

The first vulnerability [1], classified as high severity [2], has been described as “probably the worst curl security flaw in a long time.” It affects libcurl and may require careful attention. Docker [2], a containerization platform, has issued an advisory to assist customers in identifying if they are using the curl library as a dependency in their container images [2].

The second vulnerability [1], tracked as CVE-2023-38546 [2] [3] [4], will also be disclosed on October 11, 2023 [5]. Both vulnerabilities will be addressed in the upcoming update [3] [4], curl version 8.4.0 [1] [2] [3] [4] [5], which will include a patch for both issues.

The exact circumstances that trigger these vulnerabilities are still unknown [5], making it challenging to determine the specific user base at risk [5]. However, organizations are advised to take this issue seriously as threat actors may attempt to exploit them [1].

To assess their exposure [1], organizations should inventory and scan their systems using curl and libcurl to identify potentially vulnerable versions [3] [4]. It is recommended to integrate software composition analysis (SCA) tools into the software development life cycle for a thorough evaluation of exposure to the curl vulnerability. However, a quick evaluation can be done without SCA tools. Organizations should also monitor for exploit attempts and exercise caution when obtaining patches and fixed versions of curl [1]. They should be prepared to patch their systems as soon as the new version of curl, 8.4.0, is released on October 11 [1] [2] [3] [4].

Conclusion

Organizations should monitor their package provider for updates and follow any patching advice provided. As more details about the vulnerability become available [1], Synopsys will provide additional information and patching advice [1]. It is crucial for organizations to address these vulnerabilities promptly to mitigate potential risks and ensure the security of their systems.

References

[1] https://www.synopsys.com/blogs/software-security/critical-libcurl-curl-vulnerabilities.html
[2] https://www.bankinfosecurity.com/curl-maintainers-fixing-worst-curl-security-flaw-a-23269
[3] https://devel.group/blog/security-patch-for-two-new-flaws-in-curl-library-arriving-on-october-11/
[4] https://thehackernews.com/2023/10/security-patch-for-two-new-flaws-in.html
[5] https://www.exploitone.com/cyber-security/this-curl-vulnerability-that-will-affect-every-server-in-the-world/