October 12, 2023 at 09:59AM
The recently fixed vulnerabilities in the command-line tool curl and the libcurl library require security teams to identify and remediate impacted systems. The vulnerabilities can only be exploited under specific conditions. Organizations should scan their environment using software analysis tools to assess which systems are using curl and libcurl. Additionally, Docker containers and other container technologies should be scanned for vulnerable versions. It is essential for organizations to keep track of open source software, such as curl and libcurl, to assess risk and implement necessary measures. A software bill of materials can be a helpful resource in this regard.
Key Takeaways from Meeting Notes:
1. Security teams should not panic about the recently fixed vulnerabilities in curl and libcurl, but they still need to identify and address impacted systems.
2. cURL is a widely used networking tool for Unix and Linux systems, both as a standalone utility and as a library included in various applications.
3. CVE-2023-38545 is a high severity vulnerability affecting curl and libcurl versions 7.69.0 to 8.3.0, while a low severity vulnerability impacts libcurl versions 7.9.1 to 8.3.0.
4. The vulnerabilities require specific conditions to be exploited, including pointing curl at a malicious server, using SOCKS5 proxy with certain configurations, and setting a smaller buffer size.
5. The libcurl library is only vulnerable if certain environment variables (CURLOPT_PROXYTYPE, CURLOPT_PROXY, or CURLOPT_PRE_PROXY) are set to specific values related to SOCKS5.
6. The command-line tool curl is vulnerable when executed with the -socks5-hostname flag or when relevant environment variables are set.
7. Organizations should scan their environment to identify systems using curl and libcurl and verify if the pre-conditions for vulnerability exist.
8. Software composition analysis tools, container scanning, and application security posture management tools can help with assessing software delivery processes and identifying impacted systems.
9. Specific commands are provided for Linux/MacOS and Windows to identify installed versions of curl.
10. Docker containers and similar container technologies should also be scanned for vulnerable versions of libcurl.
11. Keeping track of all open source software in use is crucial for assessing risks and taking remediation actions, such as patching curl or implementing access restrictions.
12. A software bill of materials can be a helpful resource for identifying instances of curl in applications.
These takeaways emphasize the importance of proactive measures, thorough scanning, and careful management of open source software to ensure security.