Curl 8.4.0, a new version of the popular data transfer command line tool and library, was released on Wednesday, Oct. 11, Curl 8.4.0 fixes two vulnerabilities (one high severity and one low severity) that impacted several prior versions of Curl.
The vulnerabilities are:
- CVE-2023-38545 (SOCKS5 heap buffer overflow): A high-severity vulnerability that impacts both libcurl and the curl tool, versions 7.69.0 to and including 8.3.0
- CVE-2023-38546 (cookie injection with none file): A low-severity vulnerability that impacts libcurl 7.9.1 to and including 8.3.0
Curl project founder and lead developer Daniel Stenberg called the high-severity vulnerability “probably the worst curl security flaw in a long time,” underscoring the importance of getting the issue patched; however, other researchers aren’t so convinced.
While the CVE-2023-38545 vulnerability is classed as high severity, and buffer overflows are often used for RCE exploits, current indications lead many researchers to believe that this isn’t quite as exploitable as first thought due to the conditions required for successful exploitation.
Proof-of-concepts are available to demonstrate DoS attacks, but no known successful RCE exploits have popped up yet. In order for someone to take advantage of this vulnerability, a program using a vulnerable version of libcurl (or curl) would need to connect to a malicious URL using the SOCKS5 protocol with remote resolution.
News of the Curl vulnerabilities was first disclosed by Stenberg last week. Additional details were released along with the safe version 8.4.0 on Oct. 11.
Curl Vulnerability Details
As mentioned above, Curl 8.4.0 fixes two vulnerabilities. One (the high-severity CVE-2023-38545) impacts both the curl tool and libcurl, while the second (the low-severity CVE-2023-38546) impacts only libcurl.
The high-severity CVE-2023-38545 is a buffer overflow vulnerability taking place in the heap-based download buffer used during the SOCKS negotiation before the transfer starts. If the target hostname is longer than the available memory in the buffer, the extra data is written into the heap.
The low-severity CVE-2023-38546 allows users to insert cookies into a program at will, provided a series of conditions are met. The severity is low because several specific conditions need to be met, including a readable file (in the correct format) named
none being in the directory of the program using libcurl.
Importantly, there is no API nor ABI change in the safe Curl 8.4.0, which means that you shouldn’t need to make any changes to your calls to curl/libcurl; you should be able to simply update to the secure version.
How to Find and Fix Curl Vulnerabilities
Users with a paid subscription to FOSSA Vulnerability Management can use our product to help detect vulnerable versions of Curl.
From there, there are multiple methods of find vulnerable versions of Curl in FOSSA:
Option 1: Navigate to your project in the UI and view your security issues
Option 2: Navigate to the “Packages” tab in the UI and either:
- Enter the CVE numbers in the “Select a CVE” bar on the bottom-right side of the package.
- Search for “Curl” in the “Search for package name” bar toward the top of the page.
FOSSA users without a Vulnerability Management subscription can search for vulnerable versions by using API or by reviewing your projects’ dependency lists manually.
As mentioned, if and when you detect vulnerable versions of Curl in your project, it’s recommended to upgrade to the safe version 8.4.0. The Curl project also offered additional recommendations to safely fix the issue.
For the high-severity CVE-2023-38545:
- Do not use
CURLPROXY_SOCKS5_HOSTNAMEproxies with curl
- Do not set a proxy environment variable to socks5h://
For the low-severity CVE-2023-38546:
curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL"); right after every
Getting Started with FOSSA
If you aren’t a FOSSA user, you can get started by::