{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2023-076.pdf" }, "title": "Vulnerability in cURL and libcurl", "serial_number": "2023-076", "publish_date": "11-10-2023 11:06:46", "description": "A security vulnerability in the cURL tool and libcurl library has been identified. This flaw enables a heap-based buffer overflow during the SOCKS5 proxy handshake, potentially allowing malicious actors to execute arbitrary code (RCE). At this time, CERT-EU is not aware of any active exploits leveraging this vulnerability. The vulnerability affects libcurl versions 7.69.0 to 8.3.0. The issue was reported on September 30, 2023, and a patch has been released in curl version 8.4.0. The vulnerability is tracked as \"CVE-2023-38545\".
\n", "url_title": "2023-076", "content_markdown": "---\ntitle: 'Vulnerability in cURL and libcurl'\nversion: '1.0'\nnumber: '2023-076'\noriginal_date: 'October 11, 2023'\ndate: 'October 11, 2023'\n---\n\n_History:_\n\n* _11/10/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nA security vulnerability in the cURL tool and libcurl library has been identified [1]. This flaw enables a heap-based buffer overflow during the SOCKS5 proxy handshake, potentially allowing malicious actors to execute arbitrary code (RCE). At this time, CERT-EU is not aware of any active exploits leveraging this vulnerability. The vulnerability affects libcurl versions 7.69.0 to 8.3.0. The issue was reported on September 30, 2023, and a patch has been released in curl version 8.4.0. The vulnerability is tracked as `CVE-2023-38545`.\n\n# Technical Details\n\nThe vulnerability arises from a bug in curl's handling of hostnames during the SOCKS5 proxy handshake. When instructed to forward the hostname to the SOCKS5 proxy for resolution, curl has a maximum limit of 255 bytes. If a hostname longer than this is encountered, a bug may cause the program to mistakenly copy the entire hostname to the target buffer, instead of just the resolved address.\n\nFor the vulnerability to be exploitable, the application must use `socks5h` proxy as described below.\n\nIn libcurl :\n- `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or:\n- `CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://`\n- One of the proxy environment variables can be set to use the `socks5h://` scheme. For example `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`.\n\nIn cURL tool :\n- `--socks5-hostname`, or:\n- `--proxy` or `--preproxy` set to use the scheme `socks5h://`\n- Environment variables as described in the libcurl section.\n\nIt also requires that the victim access an attacker controlled website.\n\n# Affected Products\n\n- libcurl to 7.69.0 to 8.3.0\n\nNote: Versions prior to 7.69.0 are **not affected**.\n\n# Recommendations\n\nWhile CERT-EU assess the exploitability of this vulnerability as low, CERT-EU recommends updating to cURL 8.4.0.\n\nAs cURL and libcurl are being used by a large variety of operating systems and applications, CERT-EU recommends prioritising the patching on public facing applications, and especially those accepting arbitrary user inputs, and critical systems.\n\n# References\n\n[1] ", "content_html": "

History:

Summary

A security vulnerability in the cURL tool and libcurl library has been identified [1]. This flaw enables a heap-based buffer overflow during the SOCKS5 proxy handshake, potentially allowing malicious actors to execute arbitrary code (RCE). At this time, CERT-EU is not aware of any active exploits leveraging this vulnerability. The vulnerability affects libcurl versions 7.69.0 to 8.3.0. The issue was reported on September 30, 2023, and a patch has been released in curl version 8.4.0. The vulnerability is tracked as CVE-2023-38545.

Technical Details

The vulnerability arises from a bug in curl's handling of hostnames during the SOCKS5 proxy handshake. When instructed to forward the hostname to the SOCKS5 proxy for resolution, curl has a maximum limit of 255 bytes. If a hostname longer than this is encountered, a bug may cause the program to mistakenly copy the entire hostname to the target buffer, instead of just the resolved address.

For the vulnerability to be exploitable, the application must use socks5h proxy as described below.

In libcurl : - CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME, or: - CURLOPT_PROXY or CURLOPT_PRE_PROXY set to use the scheme socks5h:// - One of the proxy environment variables can be set to use the socks5h:// scheme. For example http_proxy, HTTPS_PROXY or ALL_PROXY.

In cURL tool : - --socks5-hostname, or: - --proxy or --preproxy set to use the scheme socks5h:// - Environment variables as described in the libcurl section.

It also requires that the victim access an attacker controlled website.

Affected Products

Note: Versions prior to 7.69.0 are not affected.

Recommendations

While CERT-EU assess the exploitability of this vulnerability as low, CERT-EU recommends updating to cURL 8.4.0.

As cURL and libcurl are being used by a large variety of operating systems and applications, CERT-EU recommends prioritising the patching on public facing applications, and especially those accepting arbitrary user inputs, and critical systems.

References

[1] https://curl.se/docs/CVE-2023-38545.html

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }