Patches have been released for two security flaws impacting the Curl information transfer library, the most significant of which could likely consequence in code execution.
The record of vulnerabilities is as follows –
- CVE-2023-38545 (CVSS score: 7.5) – SOCKS5 heap-centered buffer overflow vulnerability
- CVE-2023-38546 (CVSS rating: 5.) – Cookie injection with none file
CVE-2023-38545 is the more serious of the two, and has been explained by the project’s lead developer, Daniel Stenberg, as “most likely the worst Curl security flaw in a prolonged time.” It influences libcurl versions 7.69. to and including 8.3..
“This flaw helps make Curl overflow a heap-primarily based buffer in the SOCKS5 proxy handshake,” the maintainers explained in an advisory. “When Curl is questioned to pass together the hostname to the SOCKS5 proxy to allow for that to resolve the handle as an alternative of it getting completed by Curl alone, the utmost length that hostname can be is 255 bytes.”
“If the hostname is detected to be lengthier than 255 bytes, Curl switches to local title resolving and instead passes on the fixed handle only to the proxy. Because of to a bug, the area variable that signifies ‘let the host take care of the name’ could get the mistaken value all through a slow SOCKS5 handshake, and contrary to the intention, copy the much too extended hostname to the focus on buffer as an alternative of copying just the resolved tackle there.”
Curl claimed the vulnerability could probably be exploited without the need to have for a denial-of-provider attack and an overflow could be activated with a malicious HTTPS server performing a redirect to a specifically crafted URL.
“Viewing that Curl is an ubiquitous project it can be assumed with very good confidence that this vulnerability will get exploited in the wild for distant code execution, with far more sophisticated exploits currently being designed,” JFrog explained. “Nonetheless – the set of pre-ailments essential in get for a equipment to be susceptible is a lot more restrictive than to begin with believed.”
“A legitimate exploit would demand an attacker to set off code execution by, for example, passing a hostname to a web application that would trigger the code execution in Curl,” Johannes B. Ullrich, the dean of research at the SANS Technology Institute, mentioned. “Subsequent, the exploit only exists if Curl is employed to join to a SOCKS5 proxy. This is yet another dependency, making exploitation fewer very likely.”
The second vulnerability, which impacts libcurl variations 7.9.1 to 8.3., allows a poor actor to insert cookies at will into a operating system using libcurl under particular situations.
Patches for equally flaws are out there in variation 8.4. launched on October 11, 2023. Especially, the update makes sure that Curl no lengthier switches to regional take care of manner if a hostname is far too very long, thereby mitigating the risk of heap-dependent buffer overflows.
“This family of flaws would have been not possible if Curl experienced been written in a memory-protected language as an alternative of C, but porting Curl to a different language is not on the agenda,” Stenberg added.
Discovered this post interesting? Observe us on Twitter and LinkedIn to read through much more exclusive content we article.
Some parts of this article are sourced from:
thehackernews.com