CVE-2023-38545 Curl Vulnerability Details Finally Released
On October 5, 2023, we released a blog post discussing the Curl Vulnerability, the critical security issue in Curl and libcurl version 8.4.0, known as CVE-2023-38545. In addition, there was another low-severity vulnerability, CVE-2023-38546. These vulnerabilities were scheduled to be disclosed on October 11, creating significant anticipation.
Now, that long-awaited date has arrived, bringing with it detailed information about the vulnerabilities, along with the release of the necessary patches. We hope that each of you has taken the time to identify any vulnerable components within your environment. If you have, it’s time to take action and apply the patches for the Curl vulnerability.
CVE-2023-38545
As outlined in Daniel Stenberg’s blog post that delves into the discovery of this CVE, the commit responsible for introducing the vulnerability was initially included in version 7.69.0, which was released on February 14, 2020
Curl has been using SOCKS5 since August 2002, SOCKS5 is a proxy protocol that sets up a network communication via a dedicated “middle man”.
The vulnerability arises from a flaw in a code function where a boolean variable is set based on a proxy mode. This variable, socks5_resolve_local, dictates whether a host name should be resolved by the proxy or not. When a long host name is encountered in SOCKS5, the code mistakenly switches to local resolution mode, even if the user requested remote resolution.
The issue occurs because, during repeated function calls, the socks5_resolve_local variable reverts to its original value based on proxy mode, disregarding the change due to the long host name. This leads to an incorrect belief that the proxy should remotely resolve the name. However, the excessively long name can overflow a memory buffer when copied into it. The buffer’s size depends on the user’s settings, and if it’s set smaller than 65,541 bytes, overflow is possible.
Exploit
To exploit this vulnerability, a malicious actor must supply an unusually long host name. The name needs to be longer than the target buffer size to trigger a heap memory overwrite. Additionally, the host name must consist of specific byte values accepted by the parser. In an attack scenario, an attacker controlling an HTTPS server accessed via a SOCKS5 proxy can send a specially crafted redirect response. If the client using libcurl has automatic redirect-following enabled and the SOCKS5 proxy is slow enough to trigger the local variable bug, it can lead to a heap buffer overflow.
CVE-2023-38546
This CVE which was also fixed in Curl 8.4.0 was introduced in version 7.9.1 and got a low severity because it is unlikely attackers will take advantage of the flaw.
If some conditions are met, attackers will be able to insert cookies at will into a running program using libcurl.
Recommendations
Initial Assessment:
First and foremost, if you have not yet assessed your system for potentially affected components, it’s crucial to do so now. As previously mentioned in our earlier blog post, conventional scanners may fail to identify these CVEs due to the unavailability of vulnerability metadata (still applicable as of October 11th). However, if you utilize Software Bill of Materials (SBOM), you can search for occurrences of Curl and libcurl.
Remediation Steps:
To address these vulnerabilities, it’s imperative to promptly apply a patch to your system, upgrading to version 8.4.0 or a later release of curl. You can obtain this official update via the following link.
Mitigation Steps:
In cases where applying a patch is not feasible, take measures to ensure that you do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl and do not set a proxy environment variable to socks5h://.
Ofri Ouzan is a security researcher with Rezilion.
