Critical information regarding the important release of Curl version 8.4.0, released on October 11, 2023. This release addresses two vulnerabilities, one rated HIGH (CVE-2023-38545) and another rated LOW (CVE-2023-38546), one of which is a zero-day vulnerability actively exploited in the wild.
Curl, a versatile open-source command-line tool and library, facilitates data transfers over various protocols. Its widespread adoption in software projects makes it a crucial component for seamless communication between applications and servers.
Curl's popularity is underscored by its:
Command-Line Simplicity: Making it favored among developers and system administrators.
Wide Protocol Support: Versatility across various protocols, including HTTP, HTTPS, FTP, and more.
Cross-Platform Compatibility: Availability on Unix-based systems (Linux, macOS), Windows, and others.
Library Integration: Integration capabilities into applications through the libcurl library.
Active Community Support: Backed by an active community and led by the Curl project, led by Daniel Stenberg.
Well-Documented Resources: Providing comprehensive documentation and resources catering to users of all experience levels.
Zero-day vulnerabilities refer to flaws actively exploited by attackers before the software vendor becomes aware or has a chance to fix them. The urgency to respond promptly is paramount in such cases to mitigate potential risks.
On October 4th, 2023, Daniel Stenberg, a key maintainer of Curl, announced the upcoming release of version 8.4.0, scheduled for October 11th, 2023. This release addresses two vulnerabilities, classified with low and high severity, impacting different aspects of Curl.
A heap-based buffer overflow flaw in the SOCKS5 proxy handshake allows attackers to exploit Curl. If Curl cannot resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, if the hostname exceeds 255 bytes, a slow SOCKS5 handshake could lead to unintended behavior, with the too-long hostname being copied to the target buffer instead of the resolved address.
Branch Protection: Implement branch protection mechanisms in environments to ensure secure code deployment.
Encryption Checks: Regularly check for encryption misconfigurations in the environment, as misconfigurations could potentially expose vulnerabilities.
In light of the vulnerabilities identified, we strongly recommend the following actions:
These recommendations are essential to secure your systems from potential threats. Ensure your teams are informed and take necessary actions promptly upon the release of Curl 8.4.0.
Thank you for your attention and commitment to the security of our systems. For any questions or assistance, our support team is here for you.