In a recent security alert, the team behind the popular open-source tool curl has announced the release of fixes for two vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
Today’s release marks a crucial step in addressing these security concerns. Curl, a command-line tool for data transfer supporting various network protocols, plays a vital role in countless applications, with over 20 billion installations worldwide. Its underlying library, libcurl, also serves as a backbone for web-aware applications, making it an essential component of the internet ecosystem.
The high-severity vulnerability, CVE-2023-38545, affects both curl and libcurl, potentially allowing a heap buffer overflow in the SOCKS5 proxy handshake. This flaw could be exploited under specific conditions and poses a significant security risk.
The low-severity CVE-2023-38546, on the other hand, pertains to a cookie injection issue within libcurl, offering attackers the ability to insert cookies into a running program.
“Attackers may integrate such vulnerabilities into automated tools, malware and bots, enabling automatic exploitation across various systems and applications,” explained Saeed Abbasi, manager of vulnerability and threat research at Qualys.
“While the exploitation involves using a slow SOCKS5 handshake and a specifically crafted URL, it’s conceivable that the technical barrier might not be excessively high for attackers with a certain level of expertise.”
The release of curl 8.4.0 aims to address these vulnerabilities, primarily focusing on CVE-2023-38545. This update ensures that curl no longer switches to local resolve mode if a hostname is too long, thus mitigating the risk of heap buffer overflows.
Abbasi wrote in the Qualys blog last week, recommending that organizations urgently inventory and scan their systems that use curl and libcurl to identify potentially vulnerable versions.
“Organizations must act swiftly to inventory, scan, and update all systems utilizing curl and libcurl,” he warned.
“In particular, the gravity of the high-severity vulnerability mandates immediate and cautious attention to safeguarding interconnected and web-aware applications, ensuring the rich data transfer functionality curl and libcurl provide remain unimpaired and secure.”
Now that patches for these flaws are available, companies should update promptly to secure their systems.