Apply patch in curl for high-severity vulnerability
This message is intended for U-M IT staff who are responsible for any systems that utilize curl and libcurl. This Advisory has been updated to reflect that curl 8.4.0 has been released to address the vulnerability in curl and libcurl.
Summary
An update to address a high-severity vulnerability in curl and libcurl, a command line tool and library for transferring data, has been released with curl 8.4.0. Apply the patch as soon as possible after appropriate testing to affected systems, especially those using SOCKS5 proxies.
Problem
The high-severity vulnerability (CVE-2023-38545) is a heap-based buffer overflow flaw that could lead to arbitrary remote code execution when using SOCKS5 proxies to access untrusted web servers.
Threats
There are no reports of the vulnerability being exploited in the wild. However, exploitation could begin quickly now that the vulnerability details have been released.
Affected Versions
Curl versions 7.69.0 up to and including 8.3.0
Action Items
Update affected systems to curl 8.4.0, with priority placed on those that are functioning as web servers or web application servers and that are exposed to access from the internet. If upgrading is not possible, the curl team has issued patches that can be applied to older versions. If curl is embedded in a vendor supplied product, make sure to check with your vendor for compatibility. You may need to wait for a vendor supplied patch.
Technical Details
According to the curl advisory, buffer overflow can occur during a slow SOCKS5 proxy handshake. When a hostname exceeds 255 bytes, curl switches to local resolution rather than letting the proxy resolve the hostname remotely. The local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake and copy the too-long hostname to the target buffer instead of the resolved address.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- curl vulnerabilities ironed out with patches after week-long tease (The Register, 10/11/23)
- Curl Fix Heap Buffer Overflow Vulnerability Could Lead to Remote Code Execution (Cyber Kendra, 10/11/23)
- CVE-2023-38545 (Red hat customer Portal, 10/11/23)
- CVE-2023-38545 (Ubuntu Security, 10/11/23)
- SOCKS5 heap buffer overflow (curl CVEs, 10/11/23)