Updated October 11. In brief: Curl 8.4.0 has been published, patching this issue which is described in detail here. Exploitation involves using a slow SOCKS5 handshake and a specifically crafted URL. It’s a heap-based buffer overflow vulnerability and looks moderately hard to exploit but swift updating/patching is recommended here given the attention it’s had.
A serious vulnerability in curl, an open source tool that has more than 20 billion installations, is getting patched on Wednesday (October 11) and it has many information security professionals on tenterhooks.
The curl project maintainers on October 4, 2023 announced the pending release of curl version 8.4.0, warning that it includes a fix for a high-severity issue, allocated CVE-2023-38545 that is arguably “the worst curl security flaw in a long time” – but without sharing details.
The original author of curl Daniel Stenberg said in a GitHub conversation: "In general terms: everything that uses libcurl could theoretically use libcurl in a way that triggers this vulnerability, assuming that the conditions apply and that a vulnerable libcurl version is used.
"Of course", he added in a now-locked thread, "some/many users will also use libcurl without being able to trigger the vulnerability."
Given curl’s ubiquity, if the vulnerability turns out to be easily exploitable (and given the visibility of the pre-notification, security researchers will be scrambling to reverse the patch and some, publish proof-of-concept exploits) the curl vulnerability could turn out to be a major headache.
The curl vulnerability mentioned above is one of two being fixed, but the only high severity one. It affects both libcurl and the curl tool.
What is curl and where is curl?
Curl is an open-source command-line tool for transferring data with URL syntax. It supports network protocols like SSL, TLS, HTTP, FTP, SMTP, and more. Developers and system administrators use it to interact with APIs, download files, and create automated workflows among various internet-based tasks. Its libcurl client-side URL transfer library supports the same wide range of protocols and allows developers to add data transfer functionality to their applications, ensuring their software can communicate with servers for tasks like sending HTTP requests, managing cookies, and handling authentication. This makes it a vital tool for developing interconnected and web-aware applications.
Stenberg, responding to criticism that the early warning gave exploit hunters a heads-up, said the advance warning did the following:
"[Allowed] us a few days for more deliberating on the vulnerability, to really think it through, write the advisory, understand it proper. Rinse and repeat. [Gave] "distro people" a few days to prepare patched updates [and] a few days for the project (and me) to line up things to prepare for the new release. [Let us] spread the word about the pending release and the main reason for it in the mean time [and] the release needs to work with my personal schedule and Wednesdays are our standard release days."
Sure, there is a minuscule risk that someone can find this (again) before we ship the patch, but this issue has stayed undetected for years for a reason. I think taking a few days to make sure we do a solid release is worth this risk" he added.
“There is no API nor ABI change in the coming curl release. I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The ‘last several years’ of versions is as specific as I can get” said one project maintainer in a GitHub update.
As Qualys notes in a blog: “Updating the shared libcurl library is the anticipated universal fix across operating systems. Yet, according to the maintainer, a sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate their libcurl copies.”
Docker adds: “The first step is to understand whether your images have a dependency on curl. Having a dependency on curl won’t necessarily mean the exploit will be possible for your application. The quickest way to assess all images is to enable Docker Scout for your container registry.”
(Docker Scout is a tool that offers developers analysis and context into components, libraries, tools, et al. It supports Docker Hub, JFrog Artifactory, and AWS Elastic Container Registry. Other tools are available.)
Not all open source projects are able to successfully triage and patch vulnerability reports. curl does. As curl founder Daniel Stenberg noted in a recent blog about another (controversial) curl CVE: “In the curl project we work hard and fierce on security and we always work with security researchers who report problems. We file our own CVEs, we document them and we make sure to tell the world about them.
“We list over 140 of them with every imaginable detail about them provided. We aim at providing gold-level documentation for everything and that includes our past security vulnerabilities” Stenberg added.
Its sheer ubiquity could leave companies scrambling to assess exposure however, as was the case when a series of Log4J vulnerabilities landed.
As Qualys’ team notes: “organizations must act swiftly to inventory, scan, and update all systems utilizing curl and libcurl.
“In particular, the gravity of the high-severity vulnerability mandates immediate and cautious attention to safeguarding interconnected and web-aware applications, ensuring the rich data transfer functionality curl and libcurl provide remain unimpaired and secure.”
The Stack will share updates as soon as they land. Make sure you are subscribed for a swift alert and helpful industry insight shortly after the curl vulnerability details are published.