cURL's Vulnerabilities: When Disclosure Goes Awry

A set of vulnerabilities earlier this month in cURL kept a lot of security folks on their toes. cURL disclosed numerous vulnerabilities, described by curl project founder and lead developer Daniel Stenberg as "probably the worst curl security flaw in a long time." The latest version (8.4.0) patches two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546. The Affected versions are libcurl 7.9.1 to and including 8.3.0, and the unaffected versions are libcurl < 7.9.1 and >= 8.4.0.

CVE-2023-38545, is a heap-based buffer overflow flaw that is in both libcurl and the base curl tool. It has a CVSS severity rating of "high," as the exploitation can result in the corruption of data and, in the worst scenarios, the arbitrary code execution. CVE-2023-38546, is a severity “low” cookie injection flaw that affects only libcurl. The curl project's advisory states the chances that an attacker could meet the series of required conditions to exploit the vulnerability is minimal, and even if they did, the risk of a cookie injection attack to the end-user’s safety is low.

The initial shock to the security community came when cURL’s developers stated that version 8.4.0 would be released early to patch vulnerabilities. Given the fact that cURL or libcurl are found in most modern operating systems, this put all system admins on high alert. However, given the developers’ news, once the vulnerability information was released, it was found that exploitation required numerous, non-trivial, requirements. It requires that the curl client be configured to use a SOCKS5 proxy when making connections to a remote site and for automatic redirections to be enabled. In addition, it must also achieve a timing requirement to successfully exploit the flaw, only affecting slow SOCKS5 connection to the remote site.

To actually exploit this flaw, an attacker would have to create a website that redirects visitors to a very long hostname (over 255 characters), which will cause the data input to trigger the heap buffer overflow bug and crash the program. Despite this part being easy to setup, researchers have found that the existing proof-of-concept exploits only have been found cause curl to crash, causing a denial of service (DoS) attack and that remote code execution (RCE) was not proven in practice. Beyond that, most people are not using curl through SOCKS5, so they would be immune to the exploit.

Interestingly enough, security researcher Matthew Hickey (aka hackerfantastic) stated that cybersecurity experts and developers are more likely to be targets, as they are using cURL through SOCKS5, which is common during QA/security testing.

The biggest challenge from the release was an accidental early disclosure of one of the vulnerability, as well as an over-statement of the pair’s impact on environments. While these can be damaging to developers and security testers, it would not have affected most users. So, given its widespread use for those who are unaffected, it sounded alarm bells and created a buzz that was beyond the risk the vulnerabilities presented to the average user and organization.

If you want to really understand how a zero-day can affect your company, schedule a demo to see Glassportal: demo@glassportal.io