Security community on high alert following release of patch for Curl CVE vulnerabilities
In the realm of cybersecurity, a new vulnerability has been uncovered in the popular command-line tool, curl. The CVE-2023-38545 vulnerability, also known as the curl heap buffer overflow, affects versions 7.69.0 to 8.3.0 of curl and libcurl. This critical issue is a heap buffer overflow in the SOCKS5 proxy handshake mechanism, potentially leading to memory corruption, remote code execution, or denial of service[1][3].
Unlike the infamous Log4j vulnerability (Log4Shell) from 2021, the curl vulnerability is more narrowly scoped. While it also enables remote code execution, the Log4j bug had a far greater scale and ease of exploitation.
The Log4j vulnerability exploited a Java logging library, allowing remote code execution through maliciously crafted log messages. This vulnerability could be triggered broadly across countless Java-based applications, leading to widespread and severe compromise potential. In contrast, the curl heap overflow requires a specific network proxy setup (SOCKS5) and malformed input during proxy negotiation, limiting its attack surface[1][3].
The Log4j issue caused a global cybersecurity crisis due to its breadth and the critical role of logging. On the other hand, the curl vulnerability is a high severity but more contained issue, focused on specific versions and configurations[1][3]. Both vulnerabilities necessitate timely patching, but the curl vulnerability's impact is more limited.
Here's a comparative analysis of the two vulnerabilities:
| Aspect | CVE-2023-38545 (curl) | Log4j (CVE-2021-44228) | | ------------ | --------------------- | ---------------------- | | Vulnerability type | Heap buffer overflow (memory corruption) | Remote Code Execution via JNDI injection | | Affected component | curl/libcurl SOCKS5 proxy handshake | Java Log4j logging library | | Exploit requirement | SOCKS5 proxy usage with crafted input | Crafted log messages, broadly exploitable | | Impact | Remote code execution, denial of service | Wide-scale remote code execution with easy exploitation | | Patch status | Fixed in curl 8.4.0+ | Fixed in Log4j 2.15.0+ and later |
Mike McGuire, senior software solutions manager at Synopsys, mentioned that the new version 8.4.0 of curl addresses the issue by returning an error message when a hostname exceeds 255 bytes, one of the conditions leading to the critical buffer overflow in the vulnerable versions[2]. Henrik Plate, a security researcher at Endor Labs, stated that the upcoming advisory for curl/libcurl is important due to the relative uncommon practice of publishing patches and security updates for open source software[1].
First released in 1997, curl is a widely used tool for transferring files using various protocols[4]. Despite its age, it remains a crucial tool in the Unix-like terminal ecosystem, alongside another quasi-standard command line tool for file transfers.
[1] - https://www.zdnet.com/article/curl-vulnerability-cve-2023-38545-exploited-by-remote-code-execution-or-denial-of-service/ [2] - https://www.synopsys.com/blogs/software-security/curl-vulnerability-cve-2023-38545/ [3] - https://www.bleepingcomputer.com/news/security/curl-8-4-0-patches-critical-heap-buffer-overflow-vulnerability/ [4] - https://curl.se/
Cybersecurity experts are emphasizing the importance of updating to the latest version (8.4.0) of curl, as it addresses the heap buffer overflow vulnerability (CVE-2023-38545), a potential source of memory corruption, remote code execution, or denial of service. This vulnerability, affecting specific versions and configurations of curl and libcurl, is more contained compared to the Log4j vulnerability (Log4Shell) from 2021, which had a broader impact on countless Java-based applications.
