The maintainers of the cURL data transfer project on Wednesday rolled out patches for a severe memory corruption vulnerability that exposes millions of enterprise OSes, applications and devices to malicious hacker attacks.
According to an high-risk bulletin, the flaw poses a direct threat to the SOCKS5 proxy handshake process in cURL and can be exploited remotely in some non-standard configurations.
The bug, tracked as CVE-2023-38545, exists in the libcurl library that handles data exchange between devices and servers.
From the advisory:
“When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes.
If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.”
Swedish open source developer and curl maintainer Daniel Stenberg explained that the bug was introduced in February 2020 during related coding work on cURL’s SOCKS5 support.
“An attacker that controls an HTTPS server that a libcurl using client accesses over a SOCKS5 proxy (using the proxy-resolver-mode) can make it return a crafted redirect to the application via a HTTP 30x response,” Stenberg explained, warning that in certain conditions, a heap buffer overflow is triggered.
“This problem is the worst security problem found in [libcurl] in a long time,” Stenberg said. The issue was reported via the HackerOne platform by Jay Satiro and paid out $4,600, the largest cURL bug bounty to date.
Affected versions have been flagged as libcurl versions 7.69.0 to 8.3.0. The project said the issue has been fixed in cURL 8.4.0.
cURL provides both a library (libcurl) and command-line tool (curl) for transferring data with URL syntax, supporting various network protocols, including SSL, TLS, HTTP, FTP, SMTP, among others.
Earlier this week, cURL released a pre-patch advisory urging organizations to urgently inventory and scan all systems utilizing curl and libcurl and prepare to apply the patches in cURL 8.4.0.
According to curl’s maintainers, the vulnerability potentially impacts all projects relying on libcurl, although some software may use it in a way that does not allow exploitation. “Updating the shared libcurl library should be enough to fix this issue on all operating systems.”