You can now find Cyber Kendra on Google News!

Is Curl Vulnerability leaked Before Schedule Time?

High severity vulnerability found in libcurl and curl

Curl Vulnerability leaked
Last week, the developer of Curl announced a forthcoming version of Curl version 8.4.0 to be scheduled for release with the patch of two security vulnerabilities. One of these vulnerabilities is rated as having low severity (CVE-2023-38546), whereas the second one is considered high severity (CVE-2023-38545).

In the GitHub discussion, the curl developer warned users and all IT admins about the high-severity security vulnerability in cURL and libcurl. On a warning note, he noted "The one rated HIGH is probably the worst curl security flaw in a long time."

Due to the nature, severity, and wide scope of affected areas developer haven't shared many details of the bug. He wrote-

I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The "last several years" of versions is as specific as I can get.

The release of Curl, version 8.4.0, is scheduled to be available on October 11th, 2023 at approximately 06:00 UTC, but it seems the details of the bug may have leaked before its official disclosure. 

But before the scheduled time, Cyber Kendra may have got some more information regarding the Curl high severity vulnerability. We have seen a patchwork regarding the flaw in the ReadHat Git repository. The RedHat team had a workaround for the patch in the file name "0033-curl-7.76.1-CVE-2023-38545.patch".

After checking the patchwork, we assume the following key points-

Cyber Kendra confirms that this is the root cause of the CVE-2023-38545. Security Advisory released.

Name of the Issue - Name resolvers cannot resolve hostnames longer than 255 characters.

  • The bug is related to the handling of hostnames when using SOCKS5 proxies.
  • The bug allowed for hostnames longer than 255 characters, which was beyond the specification and caused problems.
  • Previously, cURL would try to switch to local resolution if the hostname was too long. However, this did not work properly and caused a security issue (as noted by the CVE reference).
  • The fix is to simply return an error if the hostname is over 255 characters since it cannot be resolved properly by the SOCKS5 proxy.
  • Root cause-
    • The root cause of the bug was that the state machine in the SOCKS5 proxy code attempted to change the remote hostname resolution to a local resolve if the hostname exceeded 255 characters.
    • The code incorrectly assumed it could switch to local resolution, but this didn't work as intended.

The patch code now checks if the hostname length exceeds 255 characters and, if so, returns an error code CURLPX_LONG_HOSTNAME and a descriptive error message.

The patch file also contains a link to the documentation page of the bug report, (https://curl.se/docs/CVE-2023-38545.html) but while writing the story, the link was not accessible. This may be due to the scheduled release time.

A security researcher, John Hammond has also show some stuff with above discussed patch on twitter thread.

According to this patch, it addresses a security issue in the SOCKS5 proxy code of curl. Is the curl vulnerability CVE-2023-38545 is the same bug? 

The vulnerability CVE-2023-38545 is a SOCKS5 heap buffer overflow flaw, read the details - Curl Fix Critical Buffer Overflow Vulnerability Could Lead to Remote Code Execution 

This patch fixes a bug where hostnames longer than 255 characters were incorrectly handled, and now it returns an error when such long hostnames are encountered, preventing potential issues related to remote hostname resolution. The fix returns an error in this case to avoid the security issue.

Post a Comment