In recent days, the cybersecurity community held its collective breath in anticipation of the disclosure of two highly awaited security vulnerabilities in widely-used open-source software, curl, and libcurl. Curl, a proxy resolution tool that simplifies file transfers across various protocols, is an essential intermediary for billions of applications. Just suggest a significant flaw within this open-source library, and you’ll get comparisons to the notorious log4j vulnerability of 2021.
Daniel Stenberg, the founder of curl, had hinted that one of these vulnerabilities could be “the worst curl security flaw in a long time.”
However, as the patches and bug details were eventually unveiled, it became evident that neither vulnerability matched the initial hype.
These vulnerabilities were tagged as CVE-2023-38545 and CVE-2023-38546.
- CVE-2023-38545: This vulnerability was initially described as a “high” severity heap-based buffer overflow flaw that could potentially lead to data corruption and arbitrary code execution. However, the severity of this vulnerability was found to be limited to specific scenarios. It specifically affected applications relying on libcurl versions 7.69.0 up to 8.3.0. The default configuration of the curl tool protected against the vulnerability. It was noted that the impact was primarily in situations where hostnames exceeded 255 bytes, causing a shift from remote hostname resolution to local resolution. This behavior inadvertently led to the wrong value being passed during the SOCKS5 handshake.
- CVE-2023-38546: The second vulnerability was a less severe cookie injection flaw that only affected libcurl. The article highlighted that the conditions necessary to trigger this vulnerability were considered low. Even if these conditions were met, the risk of a cookie injection attack was also regarded as low. This vulnerability was tied to libcurl’s function, “curl_easy_duphandle,” used for duplicating “easy handles” for individual transfers.
Prematurely generating excitement about a fix can inadvertently give threat actors an advantage. In this instance, it was noted that RedHat updated its change log before the official release of the curl fix, which might have supplied attackers with critical insights into the vulnerability. This underscores the significance of practicing responsible disclosure and avoiding unwarranted hysteria within the cybersecurity community.
