October 12, 2023 at 01:01AM
Patches have been released for two security flaws in the Curl data transfer library. The more severe vulnerability, labeled CVE-2023-38545, allows for code execution and is considered one of the worst security flaws in Curl in a long time. The other vulnerability, CVE-2023-38546, enables cookie injection. Both flaws have been patched in version 8.4.0 of Curl. The vulnerabilities require specific conditions to be exploited, making exploitation less likely.
Key takeaways from the meeting notes are as follows:
– Two security flaws have been identified in the Curl data transfer library, one of which is described as “probably the worst Curl security flaw in a long time.”
– The more severe vulnerability (CVE-2023-38545) affects libcurl versions 7.69.0 to 8.3.0 and is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake. Exploiting this vulnerability could potentially lead to remote code execution.
– The second vulnerability (CVE-2023-38546) impacts libcurl versions 7.9.1 to 8.3.0 and allows an attacker to insert cookies into a running program that uses libcurl under specific conditions.
– Patches for both vulnerabilities have been released in version 8.4.0 of Curl, which was launched on October 11, 2023. The update specifically addresses the heap-based buffer overflow risk by preventing Curl from switching to local resolve mode for long hostnames.
– While the vulnerabilities are serious, exploitability requires specific pre-conditions, such as an attacker triggering code execution through a web app using Curl and connecting to a SOCKS5 proxy. These dependencies reduce the likelihood of widespread exploitation.
– The development team acknowledges the shortcomings of using C as the programming language for Curl, but no plans for porting Curl to a memory-safe language are currently being considered.
– Follow the company on Twitter and LinkedIn for more exclusive content.
Please let me know if you need any further information.