curl 8.4.0 has been released to patch and release details on a hyped up high-severity security vulnerability (CVE-2023-38545), easing week-long concerns regarding the flaw’s severity.
curl is a command line utility that allows you to transfer data over various protocols, most commonly used to connect to websites. An associated libcurl library enables developers to incorporate curl into their applications for easy file transfer support.
On October 4th, curl developer Daniel Stenberg warned that the development cycle for curl 8.4.0 would be cut short, and the new version would be released on October 11th to resolve a vulnerability, warning its the worst curl security flaw seen in a long time.
"We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW," explained Stenberg.
"The one rated HIGH is probably the worst curl security flaw in a long time."
As curl and libcurl are widely used in many libraries and applications and are bundled with almost every operating system, this announcement resulted in many articles and posts to social media about the concern that it would have a broad impact and put a lot of devices at risk.
Not as bad as we feared
On Wednesday, Stenberg released curl 8.4.0 with fixes for two security vulnerabilities: a high-severity heap buffer overflow bug (CVE-2023-38545) and a low-severity cookie injection flaw (CVE-2023-38546).
The flaw that Stenberg provided advanced warning of is the high-severity heap buffer overflow in curl’s SOCKS5 proxy protocol implementation.
"In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545," explained Stenberg.
"This problem is the worst security problem found in curl in a long time. We set it to severity HIGH."
A heap buffer overflow bug is when a program mistakenly allows more data to be written to an allocated memory region than it can hold. This causes the inputted data to overwrite other memory regions and corrupt data, leading to application crashes and, potentially, remote code execution.
While the flaw does have the potential to impact curl users, the requirements to exploit the vulnerability make it far less dangerous than initially expected, as it requires that the curl client be configured to use a SOCKS5 proxy when making connections to a remote site and for automatic redirections to be enabled.
Furthermore, there is also timing requirement to successfully exploit the flaw, requiring a slow SOCKS5 connection to the remote site.
"If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes," explains a RedHat advisory on the flaw.
"If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy."
"The local variable that instructs Curl to 'let the host resolve the name' could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior."
To exploit this flaw, an attacker could create a website that redirects a visitor to a very long hostname (think thousands of characters), which will cause the inputted data to trigger the heap buffer overflow bug and crash the program.
While fairly easy to exploit, researchers have told BleepingComputer that the existing proof-of-concept exploits only cause curl to crash, leading to a denial of service attack rather than to code execution.
Furthermore, as most people using curl are not connecting through SOCKS5, the bug would not affect them.
Good targets for the bug
One group of people that the CVE-2023-38545 vulnerability may be useful in targeting is cybersecurity researchers and developers.
Hacker House co-founder and security researcher Matthew Hickey (aka hackerfantastic) told BleepingComputer that it's common for cybersecurity researchers and developers to use SOCKS5 proxies to request APIs.
"It requires the use of a socks5 proxy to be enabled by the curl user, this is actually quite common when people request API's for security testing, debugging, or other technical work - it is also common when probing Tor services using tools like curl as it typically requires a socks5 proxy to perform the request," Hickey told BleepingComputer in a conversation.
"Likewise, the bad characters requirement is not much of an issue as the vulnerability can be triggered by a HTTP 302 response, that means the attacker is fully in control of the characters they provide and does not need to be as crafty or clever with the delivery as others imply."
While Hickey believes this is a complex bug that will require time and effort to properly weaponize, he recommends that users upgrade to the new version to patch the flaws to be safe.
Furthermore, as more researchers carefully analyze the bug, it is possible for more sophisticated exploits to be developed that lead to code execution.
.jpg)
Comments
h_b_s - 6 months ago
"Furthermore, as most people using curl are not connecting through SOCKS5, the bug would not affect them."
Citation needed. While I agree the details around the steps needed to exploit the bug make the reveal anti-climatic, I don't think anyone has accurate numbers on how many organizations and how many users those organizations represent use either curl-the-tool or libcurl with a sock5 proxy. Proxy configurations are common in organizations that require traffic inspection for information security purposes (egress and ingress). This includes large enterprises, small businesses handling confidential data, governments, and NGOs. And what a lot of people don't realize: nearly every malware scanner appliance includes and requires some form of proxy, and at least some of them are going to be a socks type. I think it's just more common that the configuration changes needed to curl-the-tool make it far less likely it's going to be exploited, while 3rd party programs using libcurl are more likely to be problems as probably most of them are obscure black boxes with unknown configurations that may be exploitable by default.
So yeah, anti-climatic reveal, but definitely not a nothing-burger.