On October 11, 2023 [1] [2], cURL released Version 8.4.0 of the cURL utility and the libcurl library [2], addressing a high security impact vulnerability [2]. This vulnerability, identified as CVE-2023-38545 [5] [6], is a heap-based buffer overflow vulnerability that occurs during the SOCKS5 proxy handshake when curl is configured to forward the hostname to the proxy for address resolution.

Description

If the hostname exceeds 255 bytes [3] [4] [8], a bug causes the entire excessively long hostname to be copied to the target buffer instead of just the resolved address [8], resulting in a heap buffer overflow [8]. Exploiting this vulnerability beyond a Denial-of-Service attack may be challenging [8], and there are currently no known Remote Code Execution exploits available [8]. The likelihood of malicious exploitation in the wild is considered relatively low at this time [8].

However, since the vulnerability resides in a library [8], various applications utilizing libcurl could be affected [8]. The buffer size in libcurl’s heap-based download buffer is typically 16kB but can be changed by the application [5]. The curl tool is not vulnerable by default [5], as it sets the buffer size to 100kB [5], unless rate limiting is set to a smaller value [5].

The vulnerability can be triggered by a slow SOCKS5 handshake and a client using a hostname longer than the download buffer [5]. The vulnerability can be exploited through the use of certain options and environment variables in libcurl and the curl tool [5]. This issue was introduced during the conversion of the SOCKS5 handshake code [5].

In addition, another vulnerability [1] [2] [3] [4] [5] [6] [7] [8], identified as CVE-2023-38546 [5] [6], allows for cookie injection in libcurl versions 7.9.1 to 8.3.0 [1]. Both vulnerabilities have been patched in version 8.4.0 of libcurl [1]. The severity of these flaws is considered high [5]. The project’s lead developer [1], Daniel Stenberg [1], acknowledges their severity but states that porting Curl to a memory-safe language is not currently planned [1]. There are no known workarounds for these vulnerabilities [2].

The maintainers of curl have disclosed a High severity vulnerability in libcurl versions 7.69.0 up to and including 8.3.0 [7]. This vulnerability is a heap-based buffer overflow within hostnames of SOCKS5 proxies via the command-line flag [7]. Exploitation requires the attacker to control a malicious server [7], curl to use a SOCKS5 proxy in proxy-resolver mode [7], and curl to be configured to automatically follow redirects [7]. Applications using libcurl without setting CURLOPTBUFFERSIZE or setting it smaller than 65541 are vulnerable [7]. However, since curl sets CURLOPTBUFFERSIZE to 100kB by default [7], it is not vulnerable in its default state [7]. The vulnerability is not expected to be widely exploited due to modern memory protections and the need for attackers to find a vulnerable attack surface [7]. It may pose a bigger problem for security devices and appliances using curl [7]. Additionally, curl’s availability on Linux OS could be exploited for privilege escalation in certain attack chains [7].

CVE-2023-38545 is a buffer overflow vulnerability that affects both libcurl and the curl command line tool [3]. It occurs during a SOCKS5 handshake and can lead to crashes [3], data corruption [3], and arbitrary code execution [3] [6]. This vulnerability only impacts applications using the SOCKS internet protocol [3]. The issue has been addressed in curl version 8.4.0 [3], which returns an error when a hostname exceeds 255 bytes [3]. Teams are urged to upgrade immediately or implement workarounds if upgrading is not possible [3].

Conclusion

Although this vulnerability is rated as high [6], the likelihood of widespread exploitation is considered low due to the limited number of cloud workloads meeting the necessary conditions [6]. It is crucial for affected users to update to version 8.4.0 of libcurl or implement appropriate mitigations to protect against potential attacks. The project’s lead developer’s decision not to port Curl to a memory-safe language may have implications for future vulnerabilities and security measures.

References

[1] https://thehackernews.com/2023/10/two-high-risk-security-flaws-discovered.html
[2] https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-curl-libcurl-D9ds39cV.html
[3] https://www.synopsys.com/blogs/software-security/curl-libcurl-vulnerabilities-response.html
[4] https://www.helpnetsecurity.com/2023/10/11/cve-2023-38545-socks5/
[5] https://curl.se/docs/CVE-2023-38545.html
[6] https://www.lacework.com/blog/understanding-the-latest-curl-vulnerabilities-cve-2023-38545-and-cve-2023-38546/
[7] https://www.intruder.io/blog/curl-high-rated-cve-2023-38545
[8] https://www.wiz.io/blog/cve-2023-38545-curl-vulnerability