A critical vulnerability in the cURL data transfer project has been identified, posing a significant risk to countless enterprise operating systems, applications, and devices. The flaw pertains specifically to the SOCKS5 proxy handshake process in cURL and can be exploited remotely under some non-standard configurations.
The vulnerability, designated as CVE-2023-38545, is present in the libcurl library, which is responsible for data exchange between devices and servers. The issue arises when cURL is instructed to pass the hostname to the SOCKS5 proxy for address resolution. If the hostname exceeds 255 bytes, cURL switches to local name resolving and passes the resolved address only to the proxy. However, a bug can cause the local variable that indicates 'let the host resolve the name' to get the incorrect value during a slow SOCKS5 handshake, leading to the copying of the overly long hostname to the target buffer instead of just the resolved address.
The bug was unintentionally introduced during coding work on cURL's SOCKS5 support in February 2020. An attacker controlling an HTTPS server that a libcurl-using client accesses over a SOCKS5 proxy can trigger a heap buffer overflow under certain conditions by returning a manipulated redirect to the application via a HTTP 30x response. The issue is considered the most severe security problem found in libcurl for some time.
The vulnerability was reported through the HackerOne platform by Jay Satiro, who received $4,600, the largest cURL bug bounty to date. The affected versions of libcurl range from 7.69.0 to 8.3.0. The issue has been resolved in cURL 8.4.0.
cURL, which offers both a library (libcurl) and a command-line tool (curl) for data transfer with URL syntax, supports numerous network protocols, including SSL, TLS, HTTP, FTP, and SMTP. Earlier this week, a pre-patch advisory was released, urging organizations to urgently inventory and scan all systems using curl and libcurl and prepare to apply the patches in cURL 8.4.0.
The vulnerability could potentially impact all projects that rely on libcurl, although some software may use it in a way that does not allow exploitation. Updating the shared libcurl library should suffice to fix this issue on all operating systems.