Patches have been launched for 2 security flaws impacting the Curl knowledge switch library, essentially the most extreme of which might doubtlessly end in code execution.
The listing of vulnerabilities is as follows –
- CVE-2023-38545 (CVSS rating: 7.5) – SOCKS5 heap-based buffer overflow vulnerability
- CVE-2023-38546 (CVSS rating: 5.0) – Cookie injection with none file
CVE-2023-38545 is the extra extreme of the 2, and has been described by the mission’s lead developer, Daniel Stenberg, as “most likely the worst Curl security flaw in a very long time.” It impacts libcurl variations 7.69.0 to and together with 8.3.0.
“This flaw makes Curl overflow a heap-based buffer within the SOCKS5 proxy handshake,” the maintainers stated in an advisory. “When Curl is requested to cross alongside the hostname to the SOCKS5 proxy to permit that to resolve the deal with as a substitute of it getting finished by Curl itself, the utmost size that hostname may be is 255 bytes.”
“If the hostname is detected to be longer than 255 bytes, Curl switches to native title resolving and as a substitute passes on the resolved deal with solely to the proxy. As a consequence of a bug, the native variable which means ‘let the host resolve the title’ might get the mistaken worth throughout a gradual SOCKS5 handshake, and opposite to the intention, copy the too lengthy hostname to the goal buffer as a substitute of copying simply the resolved deal with there.”
Curl stated the vulnerability might probably be exploited with out the necessity for a denial-of-service assault and an overflow may very well be triggered with a malicious HTTPS server performing a redirect to a specifically crafted URL.
“Seeing that Curl is an ubiquitous mission it may be assumed with good confidence that this vulnerability will get exploited within the wild for distant code execution, with extra refined exploits being developed,” JFrog stated. “Nonetheless – the set of pre-conditions wanted to ensure that a machine to be susceptible is extra restrictive than initially believed.”
“A sound exploit would require an attacker to set off code execution by, for instance, passing a hostname to an online app that may set off the code execution in Curl,” Johannes B. Ullrich, the dean of analysis on the SANS Expertise Institute, stated. “Subsequent, the exploit solely exists if Curl is used to connect with a SOCKS5 proxy. That is one other dependency, making exploitation much less probably.”
The second vulnerability, which impacts libcurl variations 7.9.1 to eight.3.0, permits a foul actor to insert cookies at will right into a operating program utilizing libcurl below particular circumstances.
Patches for each flaws can be found in model 8.4.0 launched on October 11, 2023. Particularly, the replace ensures that Curl now not switches to native resolve mode if a hostname is simply too lengthy, thereby mitigating the danger of heap-based buffer overflows.
“This household of flaws would have been unattainable if Curl had been written in a memory-safe language as a substitute of C, however porting Curl to a different language is just not on the agenda,” Stenberg added.
