CVE-2023-38545, CVE-2023-38546: Frequently Asked Questions for New Vulnerabilities in curl

Frequently asked questions relating to two vulnerabilities patched in curl version 8.4.0

Background

On October 3, Daniel Stenberg, an open-source developer and maintainer of curl, took to X (formerly Twitter) to announce that a new high severity CVE would be fixed in curl 8.4.0. Daniel noted that the release would be ahead of schedule and released on October 11, indicating in a reply to the twitter thread that this is “the worst security problem found in curl in a long time.”

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.

— daniel:// stenberg:// (@bagder) October 3, 2023

On October 11, Stenberg published a blog post providing background into how the vulnerability was introduced as well as an example attack scenario.

FAQ

What is curl and libcurl?

Client for URL (or “curl”) is a command line tool (CLI) used to transfer files to and from servers. curl can make use of a variety of protocols and is backed by the libcurl library which provides multiple APIs and support for a multitude of network bindings. curl is widely used by system administrators and developers.

What is the difference between curl and libcurl?

libcurl is a development library (shortened to “lib”) that allows other programs to use the curl tool, where “curl” is the cli tool or frontend that is run from a script or a shell prompt. Stenberg’s post offers a great summary on the differences between these two.

What vulnerabilities were fixed in curl 8.4.0?

On October 11, curl 8.4.0 was released and contains fixes for two vulnerabilities:

What is CVE-2023-38545?

CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl.

When curl is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in length, it will switch to local name resolution in order to resolve the address before passing it on to the SOCKS5 proxy. However, due to a bug introduced in 2020, this local name resolution could fail due to a slow SOCKS5 handshake, causing curl to pass on the hostname greater than 255 bytes in length into the target buffer, leading to a heap overflow.

The advisory for CVE-2023-38545 gives an example exploitation scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an attacker would need to “influence” the slowness of the SOCKS5 handshake, the advisory states that server latency is likely “slow enough to trigger this bug.”

Are there certain requirements necessary for CVE-2023-38545 to be exploited?

Yes, the advisory provides specific requirements for exploitation in both libcurl and curl.

First, exploiting the buffer is only possible when an application using a vulnerable version of libcurl either does not configure the buffer size in CURLOPT_BUFFERSIZE or has set it to a value less than 65541. Additional requirements:

What is CVE-2023-38546?

CVE-2023-38546 is a cookie injection vulnerability in the curl_easy_duphandle(), a function in libcurl that duplicates easy handles.

When duplicating an easy handle, if cookies are enabled, the duplicated easy handle will not duplicate the cookies themselves, but would instead set the filename to ‘none.’ Therefore, when the duplicated easy handle is subsequently used, if a source was not set for the cookies, libcurl would attempt to load them from the file named ‘none’ on the disk.

This vulnerability is rated low, as the various conditions required for exploitation are unlikely.

When will patches be available?

On October 11, curl version 8.4.0 was released. Various Linux and Unix distributions are rolling out patches as well. Applications that embed libcurl will also need to update to the patched version. We anticipate that projects using libcurl will be releasing updates soon.

Have either of these CVE’s been exploited in the wild?

As of October 11, we are not aware of any in-the-wild exploitation of either CVE-2023-38545 or CVE-2023-38546.

Is a proof-of-concept available for CVE-2023-38545 or CVE-2023-38546?

Yes, a proof-of-concept (PoC) was published as a GitHub Gist by Remy, a vulnerability researcher at GreyNoise. There is no PoC for CVE-2023-38546.

How widely used is curl?

curl is one of the most widely used open source projects, as it is in use in a variety of applications and devices worldwide. It is deployed with Windows from Windows 10 and later as well as many Linux distributions.

Identifying affected systems

curl 8.4.0 was released on October 11. The Tenable Research team began immediately working on plugin coverage to address both CVEs and will continue to release coverage as more patches are released to address these flaws. A list of Tenable plugins to identify affected systems can be located on the individual CVE page for each of the CVEs mentioned here:

These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

In addition, customers can utilize the following Plugin IDs to identify curl and libcurl installations:

We will continue to update this blog as new plugin coverage is made available.

Get more information

• Daniel Stenberg’s Blog: HOW I MADE A HEAP OVERFLOW IN CURL
• curl Security Advisory for CVE-2023-38545
• curl Security Advisory for CVE-2023-38546
• curl upcoming release announcement

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.