curl and libcurl vulnerabilities (CVE-2023-38545, CVE-2023-38546)

THE THREAT

On October 11, 2023, Daniel Stenberg, in association with the release of curl 8.4.0, disclosed a significant security flaw, CVE-2023-38545, concerning a heap overflow vulnerability in curl. This vulnerability is considered to be of high severity.

The vulnerability stems from curl's support for the SOCKS5 proxy protocol. A specific function within curl, designed to connect to a SOCKS5 proxy, was converted from a blocking call into a non-blocking state machine in early 2020. This change inadvertently introduced the vulnerability, which allows for a potential heap buffer overflow if certain conditions are met.

Per the report, exploitation requires the following conditions must be met:

1. The request is made via socks5h.
2. The state machine's negotiation buffer is smaller than ~65k.
3. The SOCKS server's "hello" reply is delayed.
4. The attacker sets a final destination hostname larger than the negotiation buffer.

In a likely exploitation scenario, an attacker with control of an HTTPS server could trigger the heap overflow by convincing the target to visit a crafted URL using a vulnerable version of curl or libcurl with the appropriate parameters. Although these constraints reduce the risk of widespread exploitation, timely patching is still advised due to the popularity of curl and possible alternative exploitation methods.

Another vulnerability, CVE-2023-38546, was also disclosed, which allows an attacker to insert cookies into a running program using libcurl under specific conditions. This flaw is rated as Low severity due to the specific conditions required for exploitation.

The curl platform is extensively utilized across various organizations and applications. Given its widespread adoption, it's crucial for users and administrators to be vigilant and ensure that necessary security measures are in place.

What we’re doing about it

• Our Managed Vulnerability Service (MVS) will integrate plugins to detect CVE-2023-38545 and CVE-2023-38546 as they become available.
• Our Threat Intelligence team is actively monitoring this vulnerability for further developments and detection methods.

What you should do about it

• Ensure that your curl and liibcurl versions are updated with the latest security patches, specifically, both versions should be 8.4.0 or later.
• Engage with curl's official channels or your software vendors to verify if your curl version is vulnerable and to confirm the availability of security patches.
• If updating is not feasible immediately, consider implementing the recommended mitigations provided by Daniel Stenberg.
• Review instances for signs of exploitation, such as unexpected or malicious host names in URLs.

Additional information

The vulnerabilities, initially tracked under the identifiers CVE-2023-38545 and CVE-2023-38546, were disclosed publicly for the curl and libcurl projects on October 11, 2023. While the SOCKS5 heap buffer overflow vulnerability was of high severity impacts both, the cookie injection flaw was rated as Low and only impacted libcurl. Both vulnerabilities were addressed with the release of curl 8.4.0.

The curl command line tool and the curl library, commonly referred to as libcurl, have been foundational components for network operations since their inception. Over the years, it has been integrated into countless applications, ranging from command-line tools to sophisticated software systems. Given its widespread use, the vulnerabilities in libcurl have the potential to impact a vast number of applications and systems.

The SOCKS5 heap buffer overflow vulnerability arose from a flaw in the SOCKS5 proxy handshake process. When curl was instructed to delegate hostname resolution to the SOCKS5 proxy, a bug could cause it to incorrectly copy an overly long hostname to the target buffer, leading to potential security risks. This vulnerability was inadvertently introduced when the SOCKS5 handshake code transitioned from a blocking function to a non-blocking state machine.

The curl advisory states “If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means ‘let the host resolve the name’ could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.”

On the other hand, the cookie injection vulnerability allowed attackers to inject cookies into a running program using lbcurl under specific conditions. When duplicating an "easy handle" using the curl_easy_duphandle function, if the original handle had cookies enabled, the duplicated handle would inherit the cookie-enabled state but not the actual cookies, leading to potential security risks.

While there is no confirmed real-world exploitation of these vulnerabilities at this time, the disclosure of such flaws in a widely used library like libcurl is concerning. The combination of the technical details provided in the advisories, along with the attention these vulnerabilities have garnered, suggests that threat actors might explore potential exploitation avenues in the future.

Given the critical nature of the SOCKS5 vulnerability and the potential impact of the cookie injection flaw, organizations and developers using libcurl are strongly advised to update to the latest version or apply the recommended patches to mitigate the risks associated with these vulnerabilities.

References:

[1] https://www.helpnetsecurity.com/2023/10/10/curl-vulnerabilities-cve-2023-38545/
[2] https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
[3] https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/
[4] https://curl.se/docs/CVE-2023-38545.html
[5] https://curl.se/docs/CVE-2023-38546.html