The cURL team published version 8.4.0 on October 11, 2023, after announcing that it includes a fix for a high severity vulnerability assigned CVE-2023-38545. This vulnerability is a buffer overflow flaw in the SOCKS5 proxy handshake. It is recommended to upgrade cURL to the patched version 8.4.0 or up.
What is CVE-2023-38545?
This flaw causes curl to overflow a heap-based buffer during the SOCKS5 proxy handshake. When curl is instructed to forward the hostname to the SOCKS5 proxy for address resolution instead of handling it internally, the maximum allowable length for the hostname is 255 bytes.
If the hostname is identified as being longer than 255 bytes, curl switches to local name resolution and only passes the resolved address to the proxy. Unfortunately, due to a bug, the local variable responsible for instructing the host to resolve the name could receive an incorrect value during a slow SOCKS5 handshake. This, contrary to the intended behavior, leads to the entire excessively long hostname being copied to the target buffer instead of just the resolved address. A heap buffer overflow then occurs.
Wiz Research: what’s the practical risk?
Based on our initial assessment, the following observations can be made regarding CVE-2023-38545:
To be susceptible to this vulnerability, an application must be using libcurl with a socks5 proxy and make a request to a malicious URL (such as in a webhook scenario).
Since this is a memory corruption vulnerability, exploiting it beyond a Denial-of-Service attack may prove to be challenging. Furthermore, we are currently not aware of any Remote Code Execution exploit available for this issue.
Taking these factors into account, we have reason to believe that at this time the likelihood of malicious exploitation of this vulnerability by threat actors in the wild is relatively low.
It is important to note that due to the the fact that this vulnerability resides in a library, various applications could be utilizing libcurl in a vulnerable manner. As we compile a list of such applications, we will provide updates in this post, especially highlighting those of significant concern.
Which products are affected?
This vulnerability impacts libcurl 7.69.0 to and including 8.3.0.
Which actions should security teams take?
It is recommended to upgrade cURL to version 8.4.0.
For Windows instances, it is recommended to wait for an official Microsoft patch, as manually patching cURL can disrupt the Windows update.
While the official solution for this flaw is to apply the patch, the cURL team also offered the following mitigations:
Do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl
Do not set a proxy environment variable to socks5h://
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.