Be prepared to patch high-severity vulnerability in curl and libcurl
UPDATE (October 11, 2023, 07:15 a.m. ET):
Curl v8.4.0 is out and fixes both CVE-2023-38545, a SOCKS5 heap buffer overflow vulnerability and CVE-2023-38546, a cookie injection flaw.
Details about two vulnerabilities (CVE-2023-38545, CVE-2023-38546) in curl, a foundational and widely used open-source software for data transfer via URLs, are to be released on Wednesday, October 11.
Daniel Stenberg, the original author and lead developer, has said that the more severe of the two vulnerabilities “is probably the worst curl security flaw in a long time.”
About curl and the vulnerabilities
Curl (a command-line tool) and libcurl, a client-side URL transfer library, are developed by the curl project, with the help of contributors and sponsors. They are used to transfer data via a wide variety of network protocols.
According to the project, curl is used “in cars, television sets, routers, printers, audio equipment, mobile phones, tablets, medical devices, settop boxes, computer games, media players and is the Internet transfer engine for thousands of software applications in over twenty billion installations.”
The two vulnerabilities that will be patched with the release of curl v8.4.0 tomorrow are:
- CVE-2023-38545, a high severity flaw that affects both the libcurl library and the curl tool, and
- CVE-2023-38546, a low severity bug that only affects libcurl.
Stenberg declined to share any details that would point to the nature of the vulnerabilities, but said that there is no API nor ABI change in the 8.4.0 release.
Since curl is present by default on Linux systems, the project has notified and shared the vulnerability info with developers of a variety of Linux distributions, so they can prepare patches/updates in advance and release them quickly after curl 8.4.0 is made available.
Patching and potential pitfalls
Curl’s and libcurl’s ubiquity is why the existence of serious vulnerabilities and upcoming patches are announced in advance, so that admins can prepare for a flurry of updating that should follow.
Organizations’ should prepare by pinpointing all systems where curl and libcurl are utilized, creating a plan for implementing the fixes, and by monitoring for the release of updates by various providers.
“There is no API nor ABI change in the coming curl release. Updating the shared libcurl library should be enough to fix this issue on all operating systems,” Stenberg noted.
Saeed Abbasi, Product Manager at Qualys Threat Research Unit, told Help Net Security that the lack of API/ABI changes allows for quicker adoption of this security patch, as organizations can roll out the update without extensive testing and validation processes – although some testing is always recommended.
“Being able to mitigate this high-severity vulnerability without going through an extensive update process is beneficial for rapidly reducing exposure to potential cyberattacks. In addition, for industries and projects where compliance is key, not having to validate and certify new integrations aids in maintaining compliance with relevant regulations and standards without necessitating new audits or checks,” he added.
But there are also many Docker images that feature their own copies of the curl library, so many will have to be rebuilt.
Jonathan Roberts, a product manager at Docker, advised users and organizations to use Docker Scout to find curl dependencies throughout their container repositories.
Henrik Plate, security researcher at Endor Labs, pointed out it is very likely that a successful attack exploiting the vulnerabilities would require the attacker to provide a URL to the vulnerable instance of curl/libcurl.
“To best prepare for the update, software developers should use the head start to search for all their uses of curl/libcurl and gather important context information, especially the version being in use and the particular use case. This context information must clarify whether URLs fed into curl come from (untrusted) user-provided input. Such cases will require special attention, because there may be an opportunity for attackers to provide URLs (that contain special characters, for example, or point to attacker-controlled domains), which could be needed to successfully craft an attack,” he said.
Mitigating the risk of exploitation may include implementing patches, restricting access to affected systems from untrusted networks, or implementing other countermeasures.
“One challenge, however, will be that the curl command line tool can be installed in many different ways, e.g., through the yum and apt package managers used by various Linux distributions or, worse, simply by downloading the binaries from the curl website. Such downloads and subsequent executions are often scripted, i.e., part of Windows batch files or Unix shell scripts, which can make it difficult to find those uses.”
Mike McGuire, Senior Software Solutions Manager at Synopsys, warned about potential pitfalls.
“It’s not unheard of for attackers to post bogus ‘fixed’ versions of a project riddled with malware to take advantage of teams scrambling to patch vulnerable software,” he said.
“Organizations need to work swiftly to assess the exposure of their company and customers before full vulnerability details are published, monitor their systems for indications of exploit attempts, and be vigilant as to where they get their patches and fixed versions of curl.”
Sonatype security researcher Ax Sharma said that the high-severity vulnerability is not “Log4j reloaded”.
“Most usage of curl is as a command-line utility, distributed as an operating system package and used as a system level service provider or utility, which means normal OS updates should automatically take care of this. It’s very different from Log4j, which is embedded as a dependency, many layers deep, with no direct update capability,” he told Help Net Security.
“The most likely attack surface people should watch for when it comes to vulnerabilities is docker base images that aren’t receiving updates and which happen to have an application that leverages the vulnerable libcurl. Overall, the best thing to do here is to not panic, but to install the patched packages ASAP, and don’t forget that containers can also contain operating systems – so keep them in mind.”