Critical Security Vulnerabilities Found in Curl Library – Latest Patches Available

Recent patches have been issued to address two significant vulnerabilities in the Curl data transfer library. These flaws pose a considerable risk, especially one that could potentially lead to remote code execution, drawing the attention of cybersecurity professionals and business owners alike.

The vulnerabilities include CVE-2023-38545, which has a CVSS score of 7.5 and represents a heap-based buffer overflow related to the SOCKS5 proxy, and CVE-2023-38546, with a lower CVSS score of 5.0, which allows for cookie injection under specific conditions. The first vulnerability is particularly alarming, as it has been characterized by Curl’s lead developer, Daniel Stenberg, as possibly the most severe security flaw in Curl’s history. It impacts versions of libcurl from 7.69.0 up to and including 8.3.0.

The advisory from maintainers explains that this flaw occurs during the SOCKS5 proxy handshake phase. When the system is instructed to send a hostname to the proxy for address resolution, it limits this input to a maximum of 255 bytes. If a longer hostname is encountered, Curl would typically move to a local name resolution process. However, due to a bug in the logic, it may inadvertently copy the excessively long hostname into a buffer designated for the resolved address, leading to an overflow.

Exploitation of this vulnerability could potentially be executed without necessitating a denial-of-service attack, particularly through a malicious HTTPS server that redirects users to a specially crafted URL. Given the ubiquitous nature of Curl in numerous applications and services, the likelihood of exploitation for remote code execution has grown. Notably, for successful exploitation, an attacker must pass a hostname that triggers Curl during its operation connecting to a SOCKS5 proxy, which adds layers of complexity to the attack.

The second vulnerability (CVE-2023-38546) allows an attacker unauthorized cookie insertion in applications using libcurl within certain conditions, impacting users from versions 7.9.1 to 8.3.0. Both issues were patched in version 8.4.0 of Curl, released on October 11, 2023. This update implements changes that prevent Curl from switching to local resolve mode when faced with excessively long hostnames, thereby reducing the risk of heap-based buffer overflows.

The team behind Curl noted that the nature of these flaws would have been unlikely had the library been developed in a memory-safe programming language, yet transitioning Curl to such a language remains off the table for the foreseeable future.

For those in the U.S. technology sector, these vulnerabilities underscore the persistent threat landscape affecting even the most foundational tools in software development. The potential tactics and techniques leveraged during these attacks may align with MITRE ATT&CK’s frameworks, particularly in areas such as initial access and execution. As businesses continue to rely heavily on services utilizing Curl, awareness and implementation of these crucial updates are essential for safeguarding sensitive data and operations from evolving cyber threats.