High Severity Vulnerability in curl 8.4.0

Cyber Security Threat Summary:
Last week, researchers warned of a critical flaw in curl, the popular command line transfer tool. Curl project founder and lead developer Daniel Stenberg called it “probably the worst curl security flaw in a long time.” While details were initially withheld, a patch released today fixed two separate vulnerabilities tracked as CVE-2023-38545 and CVE-2023-38546.

“CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of "high." Possible outcomes of such issues include the corruption of data and, in the worst cases, the execution of arbitrary code” (The Register, 2023). The buffer overflow can occur during a slow SOCKS5 proxy handshake, and can be triggered due to a mishandling of hostnames longer than 255 bytes. If the hostname provided exceeds 255 bytes, curl will switch to a local resolution rather than letting the proxy resolve the hostname remotely.

"Due to a bug, the local variable that means 'let the host resolve the name' could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too-long hostname to the target buffer instead of copying just the resolved address there," the advisory reads.

The vulnerability could be exploited with a malicious HTTPS server redirecting to a URL that was created specifically to trigger the heap buffer overflow.

The second flaw, CVE-2023-38546, allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met and the cookies are put in a file called “none” in the application’s current directory. According to the developers, it is unlikely that an attacker could meet the series of conditions required to trigger the vulnerability, and even if they did, the risk of cookie injection is generally low.

Security Officer Comments:
The flaw resided in curl for 1,300 days, and was installed in over 20 billion instances. Stenberg says, the mistake went unnoticed and could have been detected with a better set of tests. He notes that they repeatedly run several static code analyzers on the code, but none of them spotted the issue.

The details of the flaw were released early today, as one of the project maintainers released the patch details earlier than the intended go-live time. “The early leak came from Red Hat's CentOS Stream project on GitLab and its commit time confirmed it was made at 1725 UTC on October 10 rather than the actual scheduled release date and time” (The Register, 2023). While security researchers attempted to understand the vulnerabilities after they were disclosed early, curl pushed out the official patches soon after.

Last year, the NSA published a recommendation that applications should be re-written in programming languages with better memory safety guardrails like Rust and Go. Stenberg admitted that the flaws found in curl would not have existed had it been written in a more memory-safe language instead of C, but confirmed there were no plans to make such a switch.

Suggested Correction(s):
Applications that depend on libcurl 7.69.0 up to and including 8.3.0 – the previous most recent version – are advised to upgrade to 8.4.0 as soon as possible. Those with applications that haven't set the preferred receive buffer size (CURLOPT_BUFFERSIZE), or those that have set it to smaller than 65541 bytes, are especially vulnerable.

The curl tool's default configuration protects against the vulnerability by default, but applications that depend on libcurl may need to make changes.

Now fixed in version 8.4.0, the patch ensures an error is returned when hostnames longer than 255 bytes are encountered.

Curl also advised against using CURLPROXY_SOCKS5_HOSTNAME proxies and setting a proxy environment variable to the socks5h:// scheme.

Link(s):
https://github.com/curl/curl/discussions/12026
https://www.theregister.com/2023/10/11/vulnerabilities_in_curl_receive_patches/