Patches have been launched for two safety flaws impacting the Curl information switch library, probably the most extreme of which may doubtlessly end in code execution.
The checklist of vulnerabilities is as follows –
- CVE-2023-38545 (CVSS rating: 7.5) – SOCKS5 heap-based buffer overflow vulnerability
- CVE-2023-38546 (CVSS rating: 5.0) – Cookie injection with none file
CVE-2023-38545 is the extra extreme of the 2, and has been described by the challenge’s lead developer, Daniel Stenberg, as “in all probability the worst Curl safety flaw in a very long time.” It impacts libcurl variations 7.69.0 to and together with 8.3.0.
“This flaw makes Curl overflow a heap-based buffer within the SOCKS5 proxy handshake,” the maintainers stated in an advisory. “When Curl is requested to cross alongside the hostname to the SOCKS5 proxy to permit that to resolve the deal with as a substitute of it getting achieved by Curl itself, the utmost size that hostname might be is 255 bytes.”
“If the hostname is detected to be longer than 255 bytes, Curl switches to native title resolving and as a substitute passes on the resolved deal with solely to the proxy. As a consequence of a bug, the native variable which means ‘let the host resolve the title’ may get the unsuitable worth throughout a gradual SOCKS5 handshake, and opposite to the intention, copy the too lengthy hostname to the goal buffer as a substitute of copying simply the resolved deal with there.”
Curl stated the vulnerability may probably be exploited with out the necessity for a denial-of-service assault and an overflow may very well be triggered with a malicious HTTPS server performing a redirect to a specifically crafted URL.
“Seeing that Curl is an ubiquitous challenge it may be assumed with good confidence that this vulnerability will get exploited within the wild for distant code execution, with extra refined exploits being developed,” JFrog stated. “Nevertheless – the set of pre-conditions wanted to ensure that a machine to be weak is extra restrictive than initially believed.”
“A sound exploit would require an attacker to set off code execution by, for instance, passing a hostname to an internet app that may set off the code execution in Curl,” Johannes B. Ullrich, the dean of analysis on the SANS Expertise Institute, stated. “Subsequent, the exploit solely exists if Curl is used to hook up with a SOCKS5 proxy. That is one other dependency, making exploitation much less probably.”
The second vulnerability, which impacts libcurl variations 7.9.1 to eight.3.0, permits a foul actor to insert cookies at will right into a working program utilizing libcurl beneath particular circumstances.
Patches for each flaws can be found in model 8.4.0 launched on October 11, 2023. Particularly, the replace ensures that Curl now not switches to native resolve mode if a hostname is just too lengthy, thereby mitigating the chance of heap-based buffer overflows.
“This household of flaws would have been inconceivable if Curl had been written in a memory-safe language as a substitute of C, however porting Curl to a different language shouldn’t be on the agenda,” Stenberg added.