curl vulnerabilities ironed out with patches after week-long tease

Updated After a week of rampant speculation astir nan quality of nan information issues successful curl, nan latest type of nan bid statement transportation instrumentality was yet released today.

Described by curl task laminitis and lead developer Daniel Stenberg arsenic "probably nan worst curl information flaw successful a agelong time," nan patches reside 2 abstracted vulnerabilities: CVE-2023-38545 and CVE-2023-38546.

We now cognize nan first vulnerability, CVE-2023-38545, is simply a heap-based buffer overflow flaw that affects some libcurl and nan curl tool, carrying a severity standing of "high." Possible outcomes of specified issues see nan corruption of information and, successful nan worst cases, nan execution of arbitrary code.

Specifically, nan buffer overflow tin hap during a slow SOCKS5 proxy handshake. The vulnerability was triggered owed to mishandling of hostnames longer than 255 bytes. 

When a hostname exceeds 255 bytes, curl switches to section solution alternatively than letting nan proxy resoluteness nan hostname remotely.

"Due to a bug, nan section adaptable that intends 'let nan big resoluteness nan name' could get nan incorrect worth during a slow SOCKS5 handshake, and contrary to nan intention, transcript nan too-long hostname to nan target buffer alternatively of copying conscionable nan resolved reside there," nan advisory reads.

curl said nan vulnerability could astir apt beryllium exploited without nan request for a denial of work onslaught aliases for nan baddies to get SOCKS server power since a server's emblematic latency is slow enough.

An attacker could feasibly utilization this vulnerability utilizing a malicious HTTPS server redirecting to a URL that was created specifically to trigger nan heap buffer overflow, it said.

Applications that dangle connected libcurl 7.69.0 up to and including 8.3.0 – nan erstwhile astir caller type – are advised to upgrade to 8.4.0 arsenic soon arsenic possible. Those pinch applications that haven't group nan preferred person buffer size (CURLOPT_BUFFERSIZE), aliases those that person group it to smaller than 65541 bytes, are particularly vulnerable.

The curl tool's default configuration protects against nan vulnerability by default, but applications that dangle connected libcurl whitethorn request to make changes.

Now fixed successful type 8.4.0, nan spot ensures an correction is returned erstwhile hostnames longer than 255 bytes are encountered.

curl besides advised against utilizing CURLPROXY_SOCKS5_HOSTNAME proxies and mounting a proxy situation adaptable to nan socks5h:// scheme.

"Reading nan codification now it is intolerable not to spot nan bug," said Stenberg successful a blog. "Yes, it genuinely aches having to judge nan truth that I did this correction without noticing and that nan flaw past remained undiscovered successful codification for 1,315 days. I apologize. I americium but a human.

"It could person been detected pinch a amended group of tests. We many times tally respective fixed codification analyzers connected nan codification and nary of them person spotted immoderate problems successful this function.

"In hindsight, shipping a heap overflow successful codification installed successful complete 20 cardinal instances is not an acquisition I would recommend."

Vulnerability number two

The 2nd vulnerability, CVE-2023-38546, is simply a less-severe cooky injection flaw and affects only libcurl.

The curl project's advisory says nan likelihood that an attacker could meet nan bid of conditions required to trigger nan vulnerability is low, and adds that moreover if they did, nan consequence of a cooky injection onslaught to nan information of a personification is besides low.

To facilitate transfers, libcurl has a usability called curl_easy_duphandle that is responsible for duplicating "easy handles" – individual handles for azygous transfers.

"If a transportation has cookies enabled erstwhile nan grip is duplicated, nan cookie-enable authorities is besides cloned – but without cloning nan existent cookies," nan advisory reads. 

"If nan root grip did not publication immoderate cookies from a circumstantial record connected disk, nan cloned type of nan grip would alternatively shop nan record sanction arsenic 'none' (using nan 4 ASCII letters, nary quotes)."

If that cloned grip was utilized again, past it would load cookies from a record named "none," providing it was successful nan correct record format and if it existed successful nan directory of nan programme utilizing libcurl.

The affected versions are libcurl 7.9.1 up to and including 8.3.0. Users are advised to upgrade to curl 8.4.0 and telephone curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL"); aft each telephone to curl_easy_duphandle();.

Uncoordinated disclosure

The patches were primitively slated for a merchandise coming astatine 0600 UTC, but 1 task maintainer released nan spot specifications for CVE-2023-38545 hours earlier than nan scheduled go-live time.

The early leak came from Red Hat's CentOS Stream task connected GitLab and its perpetrate clip confirmed it was made astatine 1725 UTC connected October 10 alternatively than nan existent scheduled merchandise day and time.

Security researchers quickly attempted to understand really nan vulnerabilities could beryllium exploited utilizing nan accusation highlighted successful nan diff.

John Hammond documented his attempts successful an X (formerly Twitter) thread but his tries, which recovered immoderate mini errors, yet didn't uncover a damaging exploit.

Katie Moussouris, CEO astatine Luta Security, said coordinated vulnerability disclosures tin beryllium "tricky business, particularly erstwhile timezones are involved".

Memory safety

The thought that applications written successful programming languages pinch less representation information guardrails should beryllium re-written successful newer languages for illustration Rust and Go has been long-running successful nan industry.

Stronger calls to make nan alteration person travel retired of nan US recently, pinch nan National Security Agency (NSA) publishing its recommendation past year.

• Another information update, Apple? You're really keeping up pinch your tech rivals
• Fresh curl tomorrow will spot 'worst' information flaw successful ages
• Make-me-root 'Looney Tunables' information spread connected Linux needs your attention
• CISA adds latest Chrome zero-day to Known Exploited Vulnerabilities Catalog

It raised interest complete nan number of representation safety-related vulnerabilities that were being exploited, citing Microsoft and Google's admittance that astir 70 percent of vulnerabilities are rooted successful representation information issues.

Stenberg admitted that nan flaws recovered successful curl would not person existed had it been written successful a much memory-safe connection alternatively of C, but confirmed location were nary plans to make specified a switch.

curl's attack will stay 1 that "allows, uses, and supports memory-safe languages," Stenberg said, and nan ambition to switch curl's HTTP backend pinch nan Rust-coded Hyper is still being considered.

"Such improvement is nevertheless presently happening successful a near-glacial velocity and shows pinch achy clarity nan challenges involved. curl will stay written successful C for nan foreseeable future.

"Everyone not happy astir this are of people invited to rotation up their sleeves and get working," he added. ®

Updated to add: Severity overblown?

When Stenberg announced nan beingness of nan vulnerability successful curl past week connected October 4, saying it was curl's "worst information flaw successful a agelong time," and offering fewer specifications much than that, nan cybersecurity manufacture jumped to various conclusions for illustration drafting comparisons betwixt it and log4j.

In nan hours since nan patches were released today, galore successful nan information organization person voiced their sentiment that nan severity of nan vulnerability was initially 'overblown'.

"Well this is underwhelming if it's successful SOCKS," said Justin Elze of TrustedSec connected X. "The superior logic I'm salty astir curl is each nan conversations and hype astir it," he added successful a follow-up post. "Companies already person a difficult clip prioritizing patches and determining vulnerability for various vulnerabilities. Fire drills for illustration this eat up cycles erstwhile they could beryllium focusing connected things for illustration KEV, their shiny caller cloud, aliases AD."

It's really awesome this thing burger is nan worst they've had successful foreverWhat I wouldn't springiness for this to suffice arsenic "a large issue" for astir different package retired there...

Responding to a remark questioning nan likelihood of a imaginable exploit, Stenberg said a much realistic onslaught script would impact a personification of nan TOR browser, 1 that often uses nan SOCKS5 protocol, connecting to a compromised HTTPS site.

Muhammad Yahya Patel, lead information technologist astatine Check Point, told The Register that each vulnerabilities successful wide utilized unfastened root devices for illustration curl "carry a immense magnitude of risk."

"Now that specifications person been published, it's each hands connected platform to measure nan effect and imaginable implications. It besides highlights nan value of organizations knowing their SBOMs and having a afloat inventory of what components beryllium and where."

Others successful nan section person highlighted that SOCKS5 isn't often used, particularly successful a business environment, which would limit nan effectiveness of immoderate utilization that was to beryllium developed. "Perhaps nan 1 shield of defense we person is that nan connection must spell done a SOCKS5 proxy, which, successful my opinion, is not a very communal deployment," said Pieter Danhieux, co-founder and CEO astatine Secure Code Warrior.

"However, information researchers – bully and bad – thin to beryllium highly creative, and pinch today's disclosure of vulnerability information, will beryllium pulling retired each stops to find each avenue to mass-exploit these weaknesses done different means."