Alerts and Advisories 12 October 2023

cURL Vulnerability (CVE-2023-38545 and CVE-2023-38546)

Advisory

Advisory
12 October 2023

 

Background

cURL, powered by libcurl, is a popular command-line tool for transferring data specified with URL syntax. It supports a wide range of protocols such as FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS, and WSS. Almost every single internet-connected device uses cURL or libcurl (directly or indirectly). This includes almost all Linux based OS and other OS, servers, printers, Android devices, cars, smart devices, all IoT devices, etc.

Curl has recently released curl v8.4.0 which fixes two vulnerabilities:

  • CVE-2023-38545, a high severity flaw that affects both the libcurl library and the curl tool. This flaw causes curl to overflow a heap-based buffer during the SOCKS5 proxy handshake. and
  • CVE-2023-38546, a low severity bug that only affects libcurl. This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met.

 

Impact

  • Could help attackers identify the root cause and exploit the vulnerability.
  • Attackers may integrate such vulnerabilities into automated tools, malware, and bots, enabling automatic exploitation across various systems and applications.

 

Affected Systems

  • Affected versions for CVE-2023-38545: libcurl 7.69.0 to and including 8.3.0
  • Affected versions for CVE-2023-38546: libcurl 7.9.1 to and including 8.3.0

 

Recommendations

  • Upgrade cURL to the latest version 8.4.0 to safeguard against potential exploits.
  • Apply the patch to your local version.
  • Organizations need to promptly take action by conducting inventory checks, scanning, and updating all systems that rely on curl and libcurl.
  • Do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl.
  • Do not set a proxy environment variable to socks5h://
  • Install a reliable antivirus or anti-malware on your device and update it frequently.

 

References

https://thehackernews.com/2023/10/security-patch-for-two-new-flaws-in.html
https://www.helpnetsecurity.com/2023/10/10/curl-vulnerabilities-cve-2023-38545/
https://www.cyberkendra.com/2023/10/developer-warns-for-high-severity.html#:~:text=CVE-2023- 38545%20-%20the%20worst%20security%20problem%20found%20in,for%20the% 20highseverity%20vulnerability%20in%20cURL%20and%20libcurl.
https://curl.se/docs/CVE-2023-38545.html
https://curl.se/docs/CVE-2023-38546.html
https://www.infosecurity-magazine.com/news/curl-releases-fixes-high-severity/#:~:text=Its%20underlying%20library%2C%20libcurl%2C%20also%20serves% 20as%20a,heap%20buffer%20overflow%20in%20the%20SOCKS5%20proxy%20handshake