How Serious Is The Curl [CVE-2023-38545] Vulnerability?

Our take: patch the curl vulnerability (CVE-2023-38545) according to your normal schedule, but only move to panic stations if you use curl in proxy-resolver mode via a SOCKS5 proxy, it's a vulnerable version, and there is a clear path for attackers to control which server curl is pointing at, e.g. with untrusted user inputs on a public application.

What is the curl vulnerability?

The curl vulnerability is a heap-based buffer overflow within hostnames of SOCKS5 proxies via the command-line flag. This happens due to curl switching to a local resolve mode if the name is too long. However, there are some caveats/requirements to make exploitation possible:

• The attacker must be able to point curl at a malicious server they control
• curl must be using a SOCKS5 proxy using proxy-resolver mode
• curl must be configured to automatically follow redirects
• An overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE when using libcurl, or set it smaller than 65541. Since curl sets CURLOPT_BUFFERSIZE to 100kB by default it is not vulnerable in its default state
• The SOCKS5 handshake to trigger the local variable bug needs to be "slow enough" to trigger the local variable bug. This is not defined, however they do state "typical server latency is likely slow enough"

Due to these caveats, modern memory protections available, and the fact that attackers must first find attack surface which exposes curl in a vulnerable manner, we do not believe that there will be wide-spread mass exploitation.

This vulnerability is likely to be a bigger problem for security devices and other appliances which fetch untrusted content using curl under the hood. curl is also available on every Linux OS so it may be used as a new path for privilege escalation in certain attack chains, if an attacker can find curl being used in any root context.

Affected software

The maintainers of curl have disclosed two vulnerabilities in libcurl which affect versions 7.69.0 up to and including 8.3.0.  One of these is rated as High severity and was initially described by the maintainers as "probably the worst curl security flaw in a long time". curl is a command-line tool that many applications rely on for their functionality. The maintainers keep a list of some companies that use curl in their products. This High severity vulnerability impacts both curl and libcurl and patches are now available from the curl site or from your chose Linux distro.

How to identify the curl vulnerability

To identify which versions of curl you have installed (either standalone or packed within other applications) we have collated some methods to assist with this. The affected versions are between 7.69.0 to and including 8.3.0.

Below are examples of how to identify curl binaries on your systems.

Linux / MacOS

Windows

• Remember to update the drive letter if you want to search a different drive than C:\

Using Defender for Endpoints

KQL queries

• Source on GitHub by BertJanCyber

Docker containers, JFog Artifactory, or AWS Elastic Container Registry using Docker Scout

• Source and further information by Docker available here.

How to fix the curl vulnerability

Apply the latest patch. If the version of curl (or libcurl) installed is packaged within an application install, please seek guidance on patching this software from the relevant vendor.

How to defend against exploitation

Patching as soon as possible is recommended for organizations that use curl in proxy-resolver mode via a SOCKS5 proxy, or use cases where there is a clear path for attackers to control which server curl is pointing at, e.g. with untrusted user inputs on a public application. For general patching outside of these use cases, we recommend implementing the latest patches according to your usual schedule for High impact weaknesses. Where a patch isn't available for the target system/application, we recommend monitoring the use of SOCKS5 proxies by curl/libcurl.

How to identify exploitation

The following flags for curl should be monitored for excessive large strings:

The following options for libcurl are affected (environment variables):

References

• CVE Information - https://curl.se/docs/CVE-2023-38545.html
• Maintainer's explanation of the logic behind the scenes: https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
• HackerOne report: https://hackerone.com/reports/2187833
• Official disclosure post on GitHub: https://github.com/curl/curl/discussions/12026
• List of companies using curl: https://curl.se/docs/companies.html
• Commit to the curl repo: https://github.com/curl/curl/commit/fb4415d8aee6c1

How Intruder is helping

We're currently monitoring the situation and will update this post as we find out more. For those customers who have internal targets added to the portal, please run a fresh scan to ensure that you are checked for the curl security vulnerability.

If there is further fallout, our security team will conduct Rapid Response for our Premium and Vanguard customers for this vulnerability where it affects other downstream software/hardware.

Learn more about Intruder's vulnerability scanner or try it yourself for free for 14 days.