The builders of the curl open-source software program utility and library have launched patches for 2 vulnerabilities within the broadly used command-line software. One of many flaws is rated with excessive severity and will probably be exploited by rogue servers to execute malicious code on techniques that entry them with curl beneath sure circumstances.
Curl, which is brief for “shopper for URL,” is a cross-platform and transportable command-line software designed to switch information or information to and from URLs. Courting again 27 years, it helps many web communication protocols and applied sciences together with DICT, FTP, FTPS, Gopher, HTTP 1/2/3, HTTP proxy tunneling, HTTPS, IMAP, Kerberos, LDAP, MQTT, POP3, RTSP, RTMP, SCP, SMTP, and SMB. Along with the command-line software, curl additionally supplies a library referred to as libcurl that many different purposes can combine to profit from the performance.
Daniel Stenberg, the maintainer of curl, made an announcement final week that an vital security patch shall be launched on October 11 to repair “in all probability the worst curl security flaw in a very long time.” The flaw, tracked as CVE-2023-38545, is a heap buffer overflow and impacts curl variations 7.69.0 to eight.3.0 and was patched in model 8.4.0 launched Wednesday.
The second flaw, CVE-2023-38546, impacts solely libcurl and permits for arbitrary cookies injection right into a program that makes use of libcurl. Nonetheless, the problem is taken into account low severity.
Curl vulnerability resides in SOCKS5 proxy
A buffer overflow is a sort of security vulnerability that occurs when a program writes information in an allotted reminiscence buffer in a method that exceeds the dimensions of the buffer and the information spills into different reminiscence areas overwriting information there. Buffer overflows can on the very least end in utility crashes (denial of service), however in lots of instances, managed exploitation can result in arbitrary code execution.
That is additionally the case with CVE-2023-38545. Whereas proof-of-concept exploits have solely demonstrated denial of service for now, researchers consider it’s solely a matter of time till code execution is achieved. The excellent news is that solely sure configurations of the software are weak, and they aren’t the default ones.