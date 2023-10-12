On the popular Liberia cURL were released some corrections for two vulnerabilitiesthe most severe of which could potentially result in code execution, in this case, malevolent.

This library is very popular, especially in Linux environment, and is widely used for the most disparate things.

What are the two vulnerabilities affecting the cURL library

The list of vulnerabilities is this:

CVE-2023-38545 (CVSS score: 7.5) – Overflow vulnerability of the SOCKS5 heap-based buffer

of the SOCKS5 heap-based buffer CVE-2023-38546 (CVSS score: 5.0) – Cookie injection with a null file (as if it didn’t exist in practice)

CVE-2023-38545 is the more serious of the two and has been described by the project’s lead developer, Daniel Stenberg, as “probably the worst cURL security vulnerability in a long time“, and these two issues affect libcurl versions 7.69.0 to 8.3.0.

“This flaw causes cURL to overflow a heap-based buffer in the SOCKS5 proxy handshake procedure“, those responsible said in a notice. “When you ask cURL to pass the hostname to the SOCKS5 proxy so it can resolve the address instead of doing so itself, the maximum length the hostname can be is 255 bytes“.

The managers of this library subsequently added: “If the host name is determined to be longer than 255 bytes, cURL switches to local name resolution and instead passes only the resolved address to the proxy. Due to a bug, the local variable that is supposed to mean ‘let the host resolve the name’ might take the wrong value during a slow SOCKS5 handshake and, contrary to intent, copy the too-long hostname into the destination buffer instead to copy only the resolved address.”

The owners of the aforementioned bookstore have stated that the vulnerability could likely be exploited without the need for a denial-of-service attack and an overflow could be triggered by a malicious HTTPS server redirecting to a specially crafted URL.

“Given that cURL is a ubiquitous project, it is safe to assume that this vulnerability will be widely exploited for remote code execution, as more sophisticated exploits are developed“, has declared JFrog. “However, the set of prerequisites needed for a machine to be vulnerable is more restrictive than initially thought.”

“A valid exploit would require an attacker to trigger code execution, for example by passing a hostname to a web application that triggers code execution in cURL“said Johannes B. Ullrich, dean of research at the SANS Technology Institute. “Furthermore, the exploit only exists if Curl is used to connect to a SOCKS5 proxy. This is also another dependency, making exploitation less likely.”

The second vulnerability, which affects libcurl versions 7.9.1 through 8.3.0, allows a malicious actor to insert cookies at will into a running program using libcurl under specific circumstances.

Patches for both vulnerabilities are available in version 8.4.0 released on October 11, 2023; in particular, the update guarantees that This library no longer switches to local resolution mode if the host name is too long, thus reducing the risk of heap-based buffer overflow.

“This family of flaws would have been impossible if cURL had been written in a memory-safe language instead of C, but migrating Curl to another language is not on the agenda“added Stenberg.

#cURL #vulnerabilities #discovered #promptly #fixed