Wiz Defend is Here: Threat detection and response for cloud

CVE-2023-38545 high severity vulnerability in cURL: everything you need to know

Detect and mitigate CVE-2023-38545, a high severity buffer overflow vulnerability in cURL. Organizations should upgrade to the patched version.

2 minutes read

The cURL team published version 8.4.0 on October 11, 2023, after announcing that it includes a fix for a high severity vulnerability assigned CVE-2023-38545. This vulnerability is a buffer overflow flaw in the SOCKS5 proxy handshake. It is recommended to upgrade cURL to the patched version 8.4.0 or up. 

What is CVE-2023-38545? 

This flaw causes curl to overflow a heap-based buffer during the SOCKS5 proxy handshake. When curl is instructed to forward the hostname to the SOCKS5 proxy for address resolution instead of handling it internally, the maximum allowable length for the hostname is 255 bytes. 

If the hostname is identified as being longer than 255 bytes, curl switches to local name resolution and only passes the resolved address to the proxy. Unfortunately, due to a bug, the local variable responsible for instructing the host to resolve the name could receive an incorrect value during a slow SOCKS5 handshake. This, contrary to the intended behavior, leads to the entire excessively long hostname being copied to the target buffer instead of just the resolved address. A heap buffer overflow then occurs.  

Wiz Research: what’s the practical risk?      

Based on our initial assessment, the following observations can be made regarding CVE-2023-38545: 

  • To be susceptible to this vulnerability, an application must be using libcurl with a socks5 proxy and make a request to a malicious URL (such as in a webhook scenario). 

  • Since this is a memory corruption vulnerability, exploiting it beyond a Denial-of-Service attack may prove to be challenging. Furthermore, we are currently not aware of any Remote Code Execution exploit available for this issue. 

  • Taking these factors into account, we have reason to believe that at this time the likelihood of malicious exploitation of this vulnerability by threat actors in the wild is relatively low. 

  • It is important to note that due to the the fact that this vulnerability resides in a library, various applications could be utilizing libcurl in a vulnerable manner. As we compile a list of such applications, we will provide updates in this post, especially highlighting those of significant concern. 

Which products are affected? 

This vulnerability impacts libcurl 7.69.0 to and including 8.3.0. 

Which actions should security teams take? 

It is recommended to upgrade cURL to version 8.4.0. 

For Windows instances, it is recommended to wait for an official Microsoft patch, as manually patching cURL can disrupt the Windows update. 

While the official solution for this flaw is to apply the patch, the cURL team also offered the following mitigations: 

  • Do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl 

  • Do not set a proxy environment variable to socks5h:// 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

 

References 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management