Have you ever used Curl? It’s likely you have! Curl is installed on countless machines and devices, with Libcurl being the standout component.
Libcurl is a versatile client-side URL transfer library that supports a wide range of protocols and features, including cookies, DICT, FTP, FTPS, Gopher, HTTP/1 (with HTTP/2 and HTTP/3 support), HTTP POST, HTTP PUT, HTTP proxy tunneling, HTTPS, IMAP, Kerberos, LDAP, MQTT, POP3, RTSP, RTMP, SCP, SMTP, and SMB. Additionally, it handles the file URI scheme, SFTP, Telnet, TFTP, file transfer resume, FTP uploading, HTTP form-based upload, HTTPS certificates, LDAPS, proxies, and user-plus-password authentication.
One of the notable characteristics of the libcurl library is its portability. It is designed to build and function consistently across a wide range of platforms, including AIX, AmigaOS, Android, BeOS, BlackBerry Tablet OS, BlackBerry 10, OpenVMS, Darwin, DOS, FreeBSD, HP-UX, HURD, iOS, IRIX, Linux, macOS, NetBSD, NetWare, OpenBSD, OS/2, QNX Neutrino, RISC OS, Solaris, Symbian, Tru64, Ultrix, UnixWare, and Microsoft Windows.
A critical vulnerability has been identified in the Curl library, which can potentially lead to a heap-based buffer overflow during the SOCKS5 proxy handshake.
Vulnerability Details: The flaw arises when Curl is instructed to pass the hostname to the SOCKS5 proxy for address resolution, with the maximum hostname length limited to 255 bytes. If a hostname exceeding this limit is detected, Curl switches to local name resolution but, due to a bug, can incorrectly copy the excessively long hostname into the target buffer instead of just the resolved address.
Terminology:
- The Curl library is often referred to as libcurl.
- The command line tool using libcurl is called the Curl tool.
Technical Information:
- An attacker with control over an HTTPS server, which a client utilizing libcurl accesses through a SOCKS5 proxy (using the proxy-resolver-mode), can manipulate it to send a carefully crafted redirect via an HTTP 30x response.
- This 30x redirect would contain a Location: header in the following format:
- Location: https://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/
- In this format, the hostname exceeds 16KB and goes up to 64KB in length.
- If the libcurl-based client has automatic redirect-following enabled and the SOCKS5 proxy experiences sufficient slowness to trigger the local variable bug, it will erroneously copy the manipulated hostname into a buffer that’s too small, overflowing into adjacent heap memory.
- This results in a critical heap buffer overflow vulnerability.
Conditions for Vulnerability:
- Overflow can occur in applications that either do not set CURLOPT_BUFFERSIZE or set it smaller than 65,541 bytes.
- The Curl tool, by default, sets CURLOPT_BUFFERSIZE to 100KB, making it immune unless the user manually sets a rate limit smaller than 65,541 bytes per second.
Affected Versions:
- Affected versions: libcurl 7.69.0 to 8.3.0. (7.69 was released back in December 2020)
- Not affected versions: libcurl < 7.69.0 and >= 8.4.0.
- The bug was introduced during the conversion of the SOCKS5 handshake code from a blocking function into a non-blocking state machine.
CVE Identifier: CVE-2023-38545
Severity: High
Solution:
- Starting from curl 8.4.0, Curl no longer switches to local resolve mode but returns an error for overly long hostnames.
Recommendations:
- A: Upgrade Curl to version 8.4.0.
- B: Apply the patch to your local version if upgrading isn’t feasible.
- C: Avoid using CURLPROXY_SOCKS5_HOSTNAME proxies with Curl.
- D: Refrain from setting a proxy environment variable to socks5h://.
So do not stress if you are not using Curl with SOCKS, If you are using Microsoft Defender you can use this feature to map out which versions are installed within your enviroment High severity curl vulnerability: prepare with Microsoft Defender for Cloud – Microsoft Community Hub