Patches have been released for two security flaws affecting the curl data transfer library, the most serious of which could potentially result in code execution.
The list of weaknesses is as follows –
- CVE-2023-38545 (CVSS score: 7.5) – SOCKS5 heap-based buffer overflow vulnerability
- CVE-2023-38546 (CVSS score: 5.0) – Cookie injection without any file
CVE-2023-38545 is the more serious of the two, and has been described as “probably the worst curl security flaw in a long time” by Daniel Stenberg, the project’s lead developer. This affects libcurl versions 7.69.0 through 8.3.0.
“This flaw causes curl to overflow heap-based buffers in the SOCKS5 proxy handshake,” maintainers said in an advisory. “When curl is asked to pass a hostname to a SOCKS5 proxy to resolve addresses rather than doing so itself, the maximum length of a hostname can be 255 bytes.”
“If the hostname is found to be longer than 255 bytes, curl switches to local name resolution and sends only the resolved address to the proxy instead. Due to a bug, the local variable means ‘resolved to host ‘Gone name’ Let’s get the wrong value during the slow SOCKS5 handshake, and copy very long hostnames into the target buffer instead of copying only the resolved address, contrary to intention.”
Curl said the vulnerability could be exploited without the need for a denial-of-service attack and could trigger an overflow with a malicious HTTPS server redirecting to a specially crafted URL.
JFrog said, “Given that curl is a ubiquitous project, it can be assumed with good faith that this vulnerability for remote code execution will be exploited in the wild, and more sophisticated exploits will be developed.” “However – the set of pre-conditions required for a machine to be unsafe is more restrictive than initially believed.”
Johannes B.Ullrich, dean of research at SANS Institute of Technology said, “A legitimate exploit would require an attacker to trigger code execution by, for example, passing a hostname to a web app that would trigger code execution in curl.” “Next, the exploit only exists when curl is used to connect to a SOCKS5 proxy. This is another dependency, making the exploit less likely.”
The second vulnerability, which affects libcurl versions 7.9.1 through 8.3.0, allows a bad actor to insert arbitrary cookies into a program running using libcurl under specific circumstances.
Patches for both flaws are available in version 8.4.0 released on October 11, 2023. Specifically, the update ensures that curl no longer switches to local resolution mode if the hostname is too long, reducing the risk of heap-based buffer overflows.
“This family of flaws would have been impossible if curl had been written in a memory-safe language instead of C, but porting curl to another language is not on the agenda,” Stenberg said.