Stay Proactive, Stay Secure

Critical information regarding the important release of Curl version 8.4.0, released on October 11, 2023. This release addresses two vulnerabilities, one rated HIGH (CVE-2023-38545) and another rated LOW (CVE-2023-38546), one of which is a zero-day vulnerability actively exploited in the wild.

Understanding Curl:

Curl, a versatile open-source command-line tool and library, facilitates data transfers over various protocols. Its widespread adoption in software projects makes it a crucial component for seamless communication between applications and servers.

Popularity and Usage of Curl:

Curl's popularity is underscored by its:

‍Command-Line Simplicity: Making it favored among developers and system administrators.

Wide Protocol Support: Versatility across various protocols, including HTTP, HTTPS, FTP, and more.

Cross-Platform Compatibility: Availability on Unix-based systems (Linux, macOS), Windows, and others.

Library Integration: Integration capabilities into applications through the libcurl library.

Active Community Support: Backed by an active community and led by the Curl project, led by Daniel Stenberg.

Well-Documented Resources: Providing comprehensive documentation and resources catering to users of all experience levels.

Zero-Day Vulnerabilities:

Zero-day vulnerabilities refer to flaws actively exploited by attackers before the software vendor becomes aware or has a chance to fix them. The urgency to respond promptly is paramount in such cases to mitigate potential risks.

The Upcoming Release: Curl 8.4.0

On October 4th, 2023, Daniel Stenberg, a key maintainer of Curl, announced the upcoming release of version 8.4.0, scheduled for October 11th, 2023. This release addresses two vulnerabilities, classified with low and high severity, impacting different aspects of Curl.

Vulnerability Details:

• CVE-2023-38545: Severity HIGH

• Affects both libcurl and the curl tool.

• CVE-2023-38546: Severity LOW

• Affects libcurl only, not the tool.

Description of the Heap-Based Buffer Overflow Flaw:

A heap-based buffer overflow flaw in the SOCKS5 proxy handshake allows attackers to exploit Curl. If Curl cannot resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, if the hostname exceeds 255 bytes, a slow SOCKS5 handshake could lead to unintended behavior, with the too-long hostname being copied to the target buffer instead of the resolved address.

What is the impact of this vulnerability?

• Access Level: Exploiting the cURL vulnerability can lead to remote code execution (RCE). An attacker, under specific conditions, may gain a considerable level of access to a system.
• Access to Sensitive Information: The heap overflow vulnerability (CVE-2023-38545) can be exploited for denial of service (DoS) and potentially remote code execution. While RCE hasn't been confirmed, the severity suggests that sensitive information might be at risk.
• Denial of Service (DoS): Proof-of-Concepts demonstrating denial of service have been published. The heap overflow vulnerability could potentially be exploited to carry out a DoS attack.

What is the Likelihood and what can I do to reduce it?

• Update cURL: The highest-impact task recommended is to update cURL and libcurl via system package managers. This immediate patching will significantly reduce the exposed attack surface.
• Dependency Audit: Perform a dependency audit to identify libraries using libcurl and understand how they link to it. This step will help in ensuring a comprehensive update.
• Mitigation Without Upgrading: It is possible to mitigate CVE-2023-38545 without upgrading by forcing cURL to use local hostname resolving when connecting to a SOCKS5 proxy. This provides an alternative solution for environments facing challenges in immediate updates.

Security Measures Beyond Direct Vulnerability Mitigation:

Branch Protection: Implement branch protection mechanisms in environments to ensure secure code deployment.

Encryption Checks: Regularly check for encryption misconfigurations in the environment, as misconfigurations could potentially expose vulnerabilities.

Recommendations for the Upcoming Release:

In light of the vulnerabilities identified, we strongly recommend the following actions:

• Upgrade curl to version 8.4.0: Upgrade to version 8.4.0 immediately upon release to benefit from crucial security fixes.
• If you are unable to upgrade and will continue to work with the current (affected) version, you can still minimize the impact by doing the following: 

• Apply the patch to your local version: If immediate upgrade is not feasible, apply the provided patch to mitigate risks until a full upgrade can be implemented.
• Do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl: Refrain from using CURLPROXY_SOCKS5_HOSTNAME proxies to avoid potential security risks associated with a heap-based buffer overflow flaw in the SOCKS5 proxy handshake.
• Do not set a proxy environment variable to socks5h://: As an additional precaution, avoid setting a proxy environment variable to socks5h:// to further reduce the risk of exploitation.

These recommendations are essential to secure your systems from potential threats. Ensure your teams are informed and take necessary actions promptly upon the release of Curl 8.4.0.

Thank you for your attention and commitment to the security of our systems. For any questions or assistance, our support team is here for you.

‍