Security update from Curl CVE sends ripples through the cybersecurity sphere as a patch is released
Critical Heap Buffer Overflow Vulnerability in Curl/libcurl Addressed
A significant security issue has been addressed in the latest version of the popular network transfer tool, curl. The new version 8.4.0 addresses a high-severity open source vulnerability named CVE-2023-38545, which involves a heap buffer overflow vulnerability triggered during SOCKS5 proxy handshake processing.
This vulnerability affects curl and libcurl versions from 7.69.0 up to 8.3.0 and could potentially allow attackers to crash affected systems or execute arbitrary code remotely if exploited. The fix for this is upgrading to curl/libcurl 8.4.0 or later, which addresses this heap buffer overflow issue.
Mitigations for CVE-2023-38545 primarily involve updating libcurl/curl to version 8.4.0 or later, which contains the patch to fix the overflow. Avoiding the use of SOCKS5 proxies with vulnerable versions is also recommended, as the issue is specific to SOCKS5 proxy usage. Vendor-specific assessments, such as VMware VDDK's use of libcurl, state that they do not use SOCKS5 proxy features and are thus not impacted. Employing general security best practices like monitoring and limiting exposure to vulnerable components until patching can be applied is also crucial.
In comparison to the Log4j vulnerability (e.g., Log4Shell, CVE-2021-44228), CVE-2023-38545 poses a significant risk primarily in contexts where SOCKS5 proxies are used with vulnerable curl/libcurl versions. While both involve the risk of arbitrary code execution, the Log4j vulnerabilities were more severe in terms of exploitation ease, impact scope, and affected ecosystem.
Lead developer Daniel Stenberg described the vulnerability as the worst security problem found in curl in a long time. Security researchers have been closely monitoring the release of curl 8.4.0, and Daniel Stenberg pushed to speed up the release of the upgrade due to the severity of the vulnerability.
First released in 1997, curl is a widely used tool for transferring files using various protocols. Originally, it was developed by Daniel Stenberg. The default behavior of the curl tool normally protects against the vulnerability, but this protection is not present in certain libcurl versions.
Some security researchers have compared the potential security implications of this vulnerability to that of Log4j. Mike McGuire, senior software solutions manager at Synopsys, stated that the protections against the vulnerability are not included in libcurl versions 7.69.0 through 8.3.0. Henrik Plate, a security researcher at Endor Labs, stated that the upcoming advisory for curl/libcurl is important.
In summary, CVE-2023-38545 poses a significant risk primarily in contexts where SOCKS5 proxies are used with vulnerable curl/libcurl versions, but mitigations are straightforward via patching and disabling vulnerable features. If your deployments use curl with SOCKS5 proxies, upgrading to version 8.4.0 or later is strongly recommended to mitigate CVE-2023-38545.
Updating to the latest version of curl, specifically version 8.4.0 or later, addresses a critical heap buffer overflow vulnerability (CVE-2023-38545) that could potentially allow attackers to compromise data-and-cloud-computing systems via remote arbitrary code execution. To further mitigate risks, it's advisable to avoid using SOCKS5 proxies with vulnerable versions of curl/libcurl, and implement general cybersecurity practices, such as vigilant monitoring and limiting exposure to vulnerable components until patches are applied.
