Research

cURL Vulnerability CVE-2023-38545 for Python Systems

October 10, 2023
4 mins
A high-severity vulnerability in cURL and its associated library libcurl was disclosed on 11 October, 2023, with widespread impact likely. This post examines the vulnerability, impacted Python packages, and recommended actions. This article will be updated as new information becomes available throughout the coming hours and days.

Key Details

  • Article Updated: 13 October, 2023 - 07:00 PDT
  • CVE-2023-38545 - HIGH SEVERITY
  • CVE-2023-38546 - LOW SEVERITY
  • Immediate Action Recommended:
    • Scan your machines and projects for curl and libcurl (basic instructions below). Know where curl is and what versions you are using.
    • Upgrade: If you are using the cURL command-line tool or are integrating the libcurl library in any projects, upgrade to cURL version 8.4.0, which addresses this flaw.
    • Patch: If an upgrade isn't immediately feasible, apply the provided patch to your existing cURL version.
    • Avoid Certain Proxies: Refrain from using CURLPROXY_SOCKS5_HOSTNAME proxies with cURL.
    • Environmental Settings: Ensure no proxy environment variable is set to the socks5h:// scheme.
    • Read all the details and get patches for old cURL versions: HackerOne Report.
    • Employ frequent scans using the Safety CLI: As we uncover affected Python dependencies, they'll promptly be added to Safety DB. Ensure your dependencies remain updated to safe versions.
  • Useful Links:

This advisory will be updated as more information becomes available.

Overview

cURL is ubiquitous, being shipped within many operating systems and platforms and is a dependency of many popular open-source packages across several programming ecosystems, including Python.

The maintainers of cURL shared the details of a high-severity vulnerability on 11 October 2023, at the same time as the release of a patched, secure version of cURL (8.4.0). In an earlier advisory, the maintainers stated that it “is probably the worst curl security flaw in a long time.” cURL is one of the most widespread software components, and the impact is expected to be extremely widespread. 

Vulnerability Details

CVE-2023-38545: SOCKS5 Heap Buffer Overflow: heap buffer overflow vulnerability was found in cURL during the SOCKS5 proxy handshake. When cURL is instructed to delegate the hostname resolution to the SOCKS5 proxy (instead of resolving it locally), and the hostname surpasses 255 bytes in length, an unintended switch occurs. This switch can cause the over-extended hostname to be copied to the target buffer rather than the intended resolved address.

Buffer Details: The affected buffer, part of the libcurl library, is the heap-based download buffer. Its default size is 16kB, although it can be adjusted. By default, the command-line curl tool sets it to 102400 bytes.

Triggering the Bug: For the overflow to occur, certain conditions must be met: a slow SOCKS5 handshake, a client utilizing a hostname longer than the download buffer, and potentially, a malicious server redirecting to a specially crafted URL.

Configuration Settings: The bug can only be exploited in applications using libcurl that either don't adjust the CURLOPT_BUFFERSIZE or set it to a value less than 65541 bytes. Since the curl tool sets CURLOPT_BUFFERSIZE to 100kB by default it is not vulnerable unless rate limiting was set by the user to a rate smaller than 65541 bytes/second.

Vulnerability Specifics:

CVE Identifier: CVE-2023-38545

Severity: HIGH

CVSSv3 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Note on Impact: Unless a special situation which makes the memory allocation patterns and sizes used by the application predictable enough for the attacker, selecting exactly what data to overflow and where - with precision - is extremely difficult. However, given the heap size, a RCE may be possible.

Common Attack Scenario: A Tor user (which normally uses SOCKS5) going to a HTTPS site that has been breached or similar.

Affected Versions: curl and libcurl 7.69.0 through 8.3.0

Safe Versions: Versions prior to 7.69.0 and those from 8.4.0 onwards.

Root Cause: The vulnerability surfaced when the SOCKS5 handshake procedure was transitioned from a blocking function to a non-blocking state machine. You can read more on how the flaw originated in Daniel Stenberg (cURL creator) blogpost.

Both the cURL command line tool and the libcurl library are impacted by the vulnerability. 

Many Python packages rely on cURL and/or libcurl in some capacity. It is highly recommended that frequent vulnerability scans are performed in the coming days to allow packages impacted by transitive vulnerabilities to be identified and remediations to be applied as quickly as possible.

CVE-2023-38546: Cookie Injection With None File

A LOW severity vulnerability in curl and libcurl was disclosed at the same time as the aforementioned HIGH severity CVE. This could permit an attacker to introduce cookies into a running application, given a specific and non-default set of conditions.

In the libcurl API, applications generate "easy handles" for individual transfers. A function, curl_easy_duphandle, allows the duplication of these easy handles. When a handle with cookies activated is duplicated, the cookie-enable state is replicated, but not the actual cookies. If the original handle hadn't accessed cookies from a certain disk file, the duplicated handle would record the filename as none. This could lead to the inadvertent loading of cookies from a file named none if it's present and readable in the program's current directory, assuming the right file format.

CVE Identifier: CVE-2023-38546

Severity: LOW

The flaw's severity is categorized as low since exploiting it requires a specific set of circumstances. The likelihood of an attacker leveraging this to cause damage is minimal.

Affected Versions: libcurl 7.9.1 through 8.3.0

Safe Versions: prior to 7.9.1 and 8.4.0 onwards.

This vulnerability is only exploitable via libcurl, not via the cURL command-line tool.

Impacted Python Dependencies

The table below will be updated hourly in the coming days with the Python packages on PyPI that were identified as having potential impact from this cURL vulnerability in their latest release. The Safety Cybersecurity Intelligence team is in touch with the maintainers of these packages, and information will be updated here.

Last Updated: 13 October, 2023 - 07:00 PDT

Package Downloads/month Status Version Fixed Resources
Rasterio 1,670,000 FIXED 1.3.8.post2 Issue Tracker
Fiona 5,979,772 FIXED 1.9.5 Issue Tracker
Cyvcf2 48,180 NOT PATCHED - -
healpy 47,749 NOT PATCHED - -
klayout 16,196 NOT PATCHED - -
pyogrio 24,287 NOT PATCHED - Issue Tracker
Curl-cffi 85,634 NOT PATCHED - Issue Tracker
Htcondor 10,494 NOT IMPACTED - Bundles a safe version of libcurl
Fastdup 5,046 NOT IMPACTED - Bundles a safe version of libcurl
Pysam 270,747 NOT IMPACTED - Bundles a safe version of libcurl

All the previously-noted PyPI packages were found to be shipping a vulnerable version of libcurl. As a workaround until patches are released, you may install the affected packages from source code and, separately, use a patched version of libcurl. You can find a bundle including patches for latest and older versions of libcurl in the original HackerOne Report.

Last Updated: 13 October, 2023 - 07:00 PDT

Remediation

The following steps are recommended for all customers:

  1. Run which curl to determine where in your path cURL is installed.
  2. Run curl --version to identify which version of cURL you are using in your path.
  3. Upgrade: Migrate to cURL version 8.4.0, which addresses and rectifies this flaw.
  4. Patch: If an upgrade isn't immediately feasible, apply the provided patch to your existing cURL version.
  5. Avoid Certain Proxies: Refrain from using CURLPROXY_SOCKS5_HOSTNAME proxies with cURL.
  6. Environmental Settings: Ensure no proxy environment variable is set to the socks5h:// scheme.
  7. Read all the details and get patches for old cURL versions: HackerOne Report.
  8. Perform frequent scans using Safety CLI. A large number of popular packages on PyPI deploy libcurl. Our recommendation is to perform scans at least several times per day in the coming days and to refer to the table above for more information. When prompted to update to safe versions, our recommendation is to update your dependencies as updates are released by maintainers.

Safety Cybersecurity’s Response

Safety’s Cybersecurity Intelligence Team maintains the industry-leading database of Python vulnerabilities and malicious packages, offering customers unparalleled protection against direct and transitive vulnerabilities. Our team works around the clock to update Safety DB as new vulnerabilities are disclosed, as well as performing research into novel vulnerabilities yet to be disclosed. We will be performing updates in real-time to Safety DB as new information comes to light.

Using Safety CLI provides your teams with the most up-to-date and comprehensive coverage against potential impact from the high-severity cURL and libcurl vulnerability. We’ve identified the top PyPI projects affected by this issue and are in touch with Python maintainers to get you the most up-to-date relevant information.

Safety CLI itself depends on many open source packages, as well as leveraging infrastructure that depends on cURL and libcurl. We have analyzed all of our systems and, as of 11 October, are not impacted by either of the disclosed CVEs.

For more information on Safety Cybersecurity or to contact us regarding the content in this advisory, please email info@safetycli.com.

All posts
Research

Reduce vulnerability noise by 90%.
Get a demo today to learn more.

Get a Demo

Related Research Posts

Libwebp: Special Vulnerability Advisory (CVE-2023-4863)
Research
October 2, 2023
Read more
Beyond Python: ReDoS Vulnerability in Git-url-parse (Part 3)
Research
July 19, 2023
Read more
Safety Discovers ReDoS Vulnerabilities in Top Python Packages (Part 2)
Research
July 17, 2023
Read more