High-Severity curl Vulnerability Not as Threatening as Initially Feared

October 12, 2023

The release of curl 8.4.0 has addressed a high-severity security vulnerability (CVE-2023-38546), allaying fears about the flaw's potential impact. curl, a command line utility that facilitates data transfer across various protocols, is commonly used to connect to websites. The associated libcurl library allows developers to integrate curl into their applications for easy file transfer support.

On October 4th, curl developer Daniel Stenberg announced that the development cycle for curl 8.4.0 would be expedited to address a security vulnerability. He described it as the worst curl security flaw in a long time. "We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW," Stenberg said. "The one rated HIGH is probably the worst curl security flaw in a long time."

This announcement caused widespread concern, given that curl and libcurl are used in many applications and are bundled with almost all operating systems. This raised fears about a potentially broad impact and risk to numerous devices.

Stenberg released curl 8.4.0 on Wednesday, which included fixes for two security vulnerabilities: a high-severity heap buffer overflow bug (CVE-2023-38545) and a low-severity cookie injection flaw (CVE-2023-38546). The high-severity flaw is a heap buffer overflow in curl’s SOCKS5 proxy protocol implementation. "In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545," Stenberg explained. "This problem is the worst security problem found in curl in a long time. We set it to severity HIGH."

A heap buffer overflow bug occurs when a program mistakenly allows more data to be written to an allocated memory region than it can hold. This can result in the corruption of data, application crashes, and potentially, remote code execution. However, the specific requirements to exploit this vulnerability make it less dangerous than initially feared. It requires the curl client to be configured to use a SOCKS5 proxy when making connections to a remote site, automatic redirections to be enabled, and a slow SOCKS5 connection to the remote site.

To exploit this flaw, an attacker could create a website that redirects a visitor to a very long hostname, which would trigger the heap buffer overflow bug and crash the program. But, the proof-of-concept exploits only cause curl to crash, resulting in a denial of service attack rather than to code execution. As most people using curl are not connecting through SOCKS5, the bug would not affect them.

The CVE-2023-38545 vulnerability could potentially target cybersecurity researchers and developers, as they often use SOCKS5 proxies to request APIs. Matthew Hickey, co-founder of Hacker House and a security researcher, told that it's common for cybersecurity researchers and developers to use SOCKS5 proxies for security testing, debugging, or other technical work. "It requires the use of a socks5 proxy to be enabled by the curl user, this is actually quite common when people request API's for security testing, debugging, or other technical work - it is also common when probing Tor services using tools like curl as it typically requires a socks5 proxy to perform the request," Hickey said.

Despite the complexity of the bug and the effort required to weaponize it, Hickey recommends users upgrade to the new version to patch the flaws for safety. As more researchers analyze the bug, it's possible that more sophisticated exploits could be developed leading to code execution.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.