ADVISORY: Apply patch in curl for high-severity vulnerability

10/11/2023
Dark blue background with a white computer icon. On its screen is an exclamation mark.

An update to address a high-severity vulnerability in curl and libcurl, a command line tool and library for transferring data, has been released with curl 8.4.0. Apply the patch as soon as possible after appropriate testing to affected systems, especially those using SOCKS5 proxies.

Wednesday, October 11, 2023

This message is intended for U-M IT staff who are responsible for any systems that utilize curl and libcurl. This Advisory has been updated to reflect that curl 8.4.0 has been released to address the vulnerability in curl and libcurl.

Problem

The high-severity vulnerability (CVE-2023-38545) is a heap-based buffer overflow flaw that could lead to arbitrary remote code execution when using SOCKS5 proxies to access untrusted web servers.

Threats

There are no reports of the vulnerability being exploited in the wild. However, exploitation could begin quickly now that the vulnerability details have been released.

Affected Versions

Curl versions 7.69.0 up to and including 8.3.0

Action Items

Update affected systems to curl 8.4.0, with priority placed on those that are functioning as web servers or web application servers and that are exposed to access from the internet. If upgrading is not possible, the curl team has issued patches that can be applied to older versions. If curl is embedded in a vendor supplied product, make sure to check with your vendor for compatibility. You may need to wait for a vendor supplied patch.

Technical Details

According to the curl advisory, buffer overflow can occur during a slow SOCKS5 proxy handshake. When a hostname exceeds 255 bytes, curl switches to local resolution rather than letting the proxy resolve the hostname remotely. The local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake and copy the too-long hostname to the target buffer instead of the resolved address.