The developers of the curl open-source software application and library have released patches for two vulnerabilities in the widely used command-line tool. One of the flaws is rated with high severity and could potentially be exploited by rogue servers to execute malicious code on systems that access them with curl under certain conditions.
Curl, which is short for “client for URL,” is a cross-platform and portable command-line tool designed to transfer data or files to and from URLs. Dating back 27 years, it supports many internet communication protocols and technologies including DICT, FTP, FTPS, Gopher, HTTP 1/2/3, HTTP proxy tunneling, HTTPS, IMAP, Kerberos, LDAP, MQTT, POP3, RTSP, RTMP, SCP, SMTP, and SMB. In addition to the command-line tool, curl also provides a library called libcurl that many other applications can integrate to benefit from the functionality.
Daniel Stenberg, the maintainer of curl, made an announcement last week that an important security patch will be released on October 11 to fix “probably the worst curl security flaw in a long time.” The flaw, tracked as CVE-2023-38545, is a heap buffer overflow and affects curl versions 7.69.0 to 8.3.0 and was patched in version 8.4.0 released Wednesday.
The second flaw, CVE-2023-38546, affects only libcurl and allows for arbitrary cookies injection into a program that uses libcurl. However, the issue is considered low severity.
Curl vulnerability resides in SOCKS5 proxy
A buffer overflow is a type of security vulnerability that happens when a program writes data in an allocated memory buffer in a way that exceeds the size of the buffer and the data spills into other memory regions overwriting data there. Buffer overflows can at the very least result in application crashes (denial of service), but in many cases, controlled exploitation can lead to arbitrary code execution.
This is also the case with CVE-2023-38545. While proof-of-concept exploits have only demonstrated denial of service for now, researchers believe it’s only a matter of time until code execution is achieved. The good news is that only certain configurations of the tool are vulnerable, and they are not the default ones.