The maintainers of the cURL knowledge switch venture on Wednesday rolled out patches for a extreme reminiscence corruption vulnerability that exposes tens of millions of enterprise OSes, purposes and gadgets to malicious hacker assaults.
Based on an high-risk bulletin, the flaw poses a direct risk to the SOCKS5 proxy handshake course of in cURL and will be exploited remotely in some non-standard configurations.
The bug, tracked as CVE-2023-38545, exists within the libcurl library that handles knowledge alternate between gadgets and servers.
From the advisory:
“When curl is requested to go alongside the hostname to the SOCKS5 proxy to permit that to resolve the handle as a substitute of it getting accomplished by curl itself, the utmost size that hostname will be is 255 bytes.
If the hostname is detected to be longer than 255 bytes, curl switches to native identify resolving and as a substitute passes on the resolved handle solely to the proxy. Because of a bug, the native variable meaning “let the host resolve the identify” may get the incorrect worth throughout a gradual SOCKS5 handshake, and opposite to the intention, copy the too lengthy hostname to the goal buffer as a substitute of copying simply the resolved handle there.”
Swedish open supply developer and curl maintainer Daniel Stenberg defined that the bug was launched in February 2020 throughout associated coding work on cURL’s SOCKS5 help.
“An attacker that controls an HTTPS server {that a} libcurl utilizing shopper accesses over a SOCKS5 proxy (utilizing the proxy-resolver-mode) could make it return a crafted redirect to the appliance through a HTTP 30x response,” Stenberg defined, warning that in sure situations, a heap buffer overflow is triggered.
“This drawback is the worst security drawback present in [libcurl] in a very long time,” Stenberg stated. The difficulty was reported through the HackerOne platform by Jay Satiro and paid out $4,600, the biggest cURL bug bounty to this point.
Affected variations have been flagged as libcurl variations 7.69.0 to eight.3.0. The venture stated the problem has been fastened in cURL 8.4.0.
cURL offers each a library (libcurl) and command-line software (curl) for transferring knowledge with URL syntax, supporting numerous community protocols, together with SSL, TLS, HTTP, FTP, SMTP, amongst others.
Earlier this week, cURL launched a pre-patch advisory urging organizations to urgently stock and scan all techniques using curl and libcurl and put together to use the patches in cURL 8.4.0.
Based on curl’s maintainers, the vulnerability probably impacts all initiatives counting on libcurl, though some software program could use it in a means that doesn’t enable exploitation. “Updating the shared libcurl library must be sufficient to repair this concern on all working techniques.”
