October 11, 2023 at 12:06PM
Patches have been released for a critical memory corruption vulnerability in the cURL data transfer project. The flaw, tracked as CVE-2023-38545, affects the SOCKS5 proxy handshake process in cURL, allowing remote exploitation in certain configurations. The bug can lead to heap buffer overflow, and affected versions are 7.69.0 to 8.3.0. The issue has been fixed in cURL 8.4.0. Organizations are advised to urgently apply the patches.
Key takeaways from the meeting notes are:
– The cURL data transfer project has released patches for a severe memory corruption vulnerability.
– The vulnerability affects the SOCKS5 proxy handshake process in cURL and can be exploited remotely in certain configurations.
– The bug, identified as CVE-2023-38545, exists in the libcurl library.
– If the hostname exceeds 255 bytes, a bug in curl may copy the too long hostname to the target buffer, leading to a heap buffer overflow.
– The bug was introduced in February 2020 during coding work on cURL’s SOCKS5 support.
– An attacker controlling an HTTPS server can use a crafted redirect to trigger the heap buffer overflow.
– The issue has been reported and a bug bounty of $4,600 has been paid out.
– Affected versions of libcurl are 7.69.0 to 8.3.0, and the fix is available in cURL 8.4.0.
– cURL is a library and command-line tool for data transfer using URL syntax, supporting various protocols.
– Organizations are urged to scan systems utilizing curl and libcurl and apply the patches.
– Updating the shared libcurl library should fix the issue on all operating systems.
– The vulnerability potentially impacts all projects relying on libcurl, but some may not be exploitable.
– There have been previous security vulnerabilities and patches in libcurl.