Two security vulnerabilities have recently come to light, affecting the Curl data transfer library. CVE-2023-38545 is the most critical of the two, with a CVSS score of 7.5.
What Is It All About?
This vulnerability pertains to a heap-based buffer overflow issue related to SOCKS5, which can potentially lead to code execution.
The project’s lead developer has gone so far as to label it as “arguably one of the most significant security flaws in Curl to date.”
Vulnerability Specifics: CVE-2023-38545
This vulnerability impacts libcurl versions ranging from 7.69.0 to 8.3.0. It manifests as an overflow of a heap-based buffer during the SOCKS5 proxy handshake process.
When Curl is tasked with transferring the hostname to the SOCKS5 proxy for address resolution instead of handling it internally, the maximum allowable hostname length is 255 bytes.
However, a flaw surfaces when the local variable responsible for permitting the host to resolve the name receives an incorrect value during a protracted SOCKS5 handshake.
Rather than transferring only the resolved address to the proxy, the hostname exceeding 255 bytes ends up in the target buffer.
This oversight opens the door to potential exploitation, as a malicious HTTPS server could trigger an overflow through a redirect to a meticulously crafted URL.
The significance of this vulnerability is underscored by its potential for remote code execution without necessitating a denial-of-service attack.
Vulnerability Specifics: CVE-2023-38546
The second vulnerability, bearing the identifier CVE-2023-38546, is less severe, characterized by a CVSS score 5.0.
It pertains to cookie injection in specific scenarios for libcurl versions from 7.9.1 to 8.3.0.
It allows a malicious actor to insert cookies into a running program using libcurl under specific conditions.
Responsible Approach: Prompt Action
To address these vulnerabilities, patches have been promptly released in version 8.4.0 of Curl, made available on October 11, 2023.
Notably, this update rectifies the issue associated with the heap-based buffer overflow by ensuring that Curl no longer switches to local resolution mode when confronted with an excessively long hostname.
This, in turn, mitigates the risk of a heap-based buffer overflow exploit.
These vulnerabilities underscore the inherent challenges of utilizing a programming language like C, as adopting memory-safe languages could have potentially averted this class of flaws.
However, the transition of Curl to an alternative language is not currently within the project’s scope, as expressed by Daniel Stenberg, the lead developer.
Resilience or Exploits: What’s Your Choice?
The emergence of dual high-risk security flaws in the Curl Library reminds us of the evolving challenges that future security must confront.
It highlights the need to reassess the foundations of software development continuously. To protect against threats, future security measures should incorporate proactive vulnerability assessments, advanced static and dynamic analysis tools, and rigorous code review processes.
Exploring memory-safe programming languages and automated security testing frameworks will be pivotal in building resilient systems.
As cyber threats become increasingly sophisticated, a forward-looking approach to security is crucial to avoid potential risks and vulnerabilities.
Anas Hasan
October 13, 2023
2 years ago
