- Article Updated: 13 October, 2023 - 07:00 PDT
- CVE-2023-38545 - HIGH SEVERITY
- CVE-2023-38546 - LOW SEVERITY
This advisory will be updated as more information becomes available.
cURL is ubiquitous, being shipped within many operating systems and platforms and is a dependency of many popular open-source packages across several programming ecosystems, including Python.
The maintainers of cURL shared the details of a high-severity vulnerability on 11 October 2023, at the same time as the release of a patched, secure version of cURL (8.4.0). In an earlier advisory, the maintainers stated that it “is probably the worst curl security flaw in a long time.” cURL is one of the most widespread software components, and the impact is expected to be extremely widespread.
CVE-2023-38545: SOCKS5 Heap Buffer Overflow: heap buffer overflow vulnerability was found in cURL during the SOCKS5 proxy handshake. When cURL is instructed to delegate the hostname resolution to the SOCKS5 proxy (instead of resolving it locally), and the hostname surpasses 255 bytes in length, an unintended switch occurs. This switch can cause the over-extended hostname to be copied to the target buffer rather than the intended resolved address.
Buffer Details: The affected buffer, part of the libcurl library, is the heap-based download buffer. Its default size is 16kB, although it can be adjusted. By default, the command-line curl tool sets it to 102400 bytes.
Triggering the Bug: For the overflow to occur, certain conditions must be met: a slow SOCKS5 handshake, a client utilizing a hostname longer than the download buffer, and potentially, a malicious server redirecting to a specially crafted URL.
Configuration Settings: The bug can only be exploited in applications using libcurl that either don't adjust the CURLOPT_BUFFERSIZE or set it to a value less than 65541 bytes. Since the curl tool sets CURLOPT_BUFFERSIZE to 100kB by default it is not vulnerable unless rate limiting was set by the user to a rate smaller than 65541 bytes/second.
CVE Identifier: CVE-2023-38545
CVSSv3 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Note on Impact: Unless a special situation which makes the memory allocation patterns and sizes used by the application predictable enough for the attacker, selecting exactly what data to overflow and where - with precision - is extremely difficult. However, given the heap size, a RCE may be possible.
Common Attack Scenario: A Tor user (which normally uses SOCKS5) going to a HTTPS site that has been breached or similar.
Affected Versions: curl and libcurl 7.69.0 through 8.3.0
Safe Versions: Versions prior to 7.69.0 and those from 8.4.0 onwards.
Root Cause: The vulnerability surfaced when the SOCKS5 handshake procedure was transitioned from a blocking function to a non-blocking state machine. You can read more on how the flaw originated in Daniel Stenberg (cURL creator) blogpost.
Both the cURL command line tool and the libcurl library are impacted by the vulnerability.
Many Python packages rely on cURL and/or libcurl in some capacity. It is highly recommended that frequent vulnerability scans are performed in the coming days to allow packages impacted by transitive vulnerabilities to be identified and remediations to be applied as quickly as possible.
CVE-2023-38546: Cookie Injection With None File
A LOW severity vulnerability in curl and libcurl was disclosed at the same time as the aforementioned HIGH severity CVE. This could permit an attacker to introduce cookies into a running application, given a specific and non-default set of conditions.
In the libcurl API, applications generate "easy handles" for individual transfers. A function, curl_easy_duphandle, allows the duplication of these easy handles. When a handle with cookies activated is duplicated, the cookie-enable state is replicated, but not the actual cookies. If the original handle hadn't accessed cookies from a certain disk file, the duplicated handle would record the filename as none. This could lead to the inadvertent loading of cookies from a file named none if it's present and readable in the program's current directory, assuming the right file format.
CVE Identifier: CVE-2023-38546
The flaw's severity is categorized as low since exploiting it requires a specific set of circumstances. The likelihood of an attacker leveraging this to cause damage is minimal.
Affected Versions: libcurl 7.9.1 through 8.3.0
Safe Versions: prior to 7.9.1 and 8.4.0 onwards.
This vulnerability is only exploitable via libcurl, not via the cURL command-line tool.
Impacted Python Dependencies
The table below will be updated hourly in the coming days with the Python packages on PyPI that were identified as having potential impact from this cURL vulnerability in their latest release. The Safety Cybersecurity Intelligence team is in touch with the maintainers of these packages, and information will be updated here.
Last Updated: 13 October, 2023 - 07:00 PDT
Last Updated: 13 October, 2023 - 07:00 PDT
The following steps are recommended for all customers:
Safety Cybersecurity’s Response
Safety’s Cybersecurity Intelligence Team maintains the industry-leading database of Python vulnerabilities and malicious packages, offering customers unparalleled protection against direct and transitive vulnerabilities. Our team works around the clock to update Safety DB as new vulnerabilities are disclosed, as well as performing research into novel vulnerabilities yet to be disclosed. We will be performing updates in real-time to Safety DB as new information comes to light.
Using Safety CLI provides your teams with the most up-to-date and comprehensive coverage against potential impact from the high-severity cURL and libcurl vulnerability. We’ve identified the top PyPI projects affected by this issue and are in touch with Python maintainers to get you the most up-to-date relevant information.
Safety CLI itself depends on many open source packages, as well as leveraging infrastructure that depends on cURL and libcurl. We have analyzed all of our systems and, as of 11 October, are not impacted by either of the disclosed CVEs.
For more information on Safety Cybersecurity or to contact us regarding the content in this advisory, please email firstname.lastname@example.org.