Headline
CVE-2023-38545: curl - SOCKS5 heap buffer overflow
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes.
If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there.
The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
CVE-2023-38545
Project curl Security Advisory, October 11 2023 - Permalink
VULNERABILITY
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes.
If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.
TERMINOLOGY
The curl library is known as libcurl and the command line tool that uses the library is known as the curl tool. Either or both may be referred to as just curl. The distinctive names are used in this document when necessary.
INFO
The hostname comes from the URL that curl has been told to operate with.
The target buffer is the heap-based download buffer in libcurl that is reused for SOCKS negotiation before the transfer has started. The size of the buffer is 16kB by default, but can be set to different sizes by the application. The curl tool sets it to 102400 bytes by default - but it sets the buffer size to a smaller size if --limit-rate is set lower than 102400 bytes per second.
libcurl provides the CURLOPT_BUFFERSIZE option to change the size of the download buffer.
libcurl accepts hostnames up to 65535 bytes in the URL.
If the used hostname is longer than the target buffer, there is a memcpy() that overwrites the buffer into the heap. The URL parser and possibly an IDN library (if curl is built with one) have to accept the hostname, which somewhat limits the set of available byte sequences that can be used in the copy.
For an overflow to happen it needs a slow enough SOCKS5 handshake to trigger the local variable bug, and the client using a hostname longer than the download buffer. Perhaps with a malicious HTTPS server doing a redirect to an especially crafted URL.
Typical server latency is likely “slow” enough to trigger this bug without an attacker needing to influence it by DoS or SOCKS server control.
An overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE or set it smaller than 65541. Since the curl tool sets CURLOPT_BUFFERSIZE to 100kB by default it is not vulnerable unless rate limiting was set by the user to a rate smaller than 65541 bytes/second.
The options that cause SOCKS5 with remote hostname to be used in libcurl:
- CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME, or:
- CURLOPT_PROXY or CURLOPT_PRE_PROXY set to use the scheme socks5h://
- One of the proxy environment variables can be set to use the socks5h:// scheme. For example http_proxy, HTTPS_PROXY or ALL_PROXY.
The options that cause SOCKS5 with remote hostname to be used in the curl tool:
- –socks5-hostname, or:
- –proxy or --preproxy set to use the scheme socks5h://
- Environment variables as described in the libcurl section.
This bug was introduced when the SOCKS5 handshake code was converted from a blocking function into a non-blocking state machine.
The analysis in this section is specific to curl version 8. Some older versions of curl version 7 have less restriction on hostname length and/or a smaller SOCKS negotiation buffer size that cannot be overridden by CURLOPT_BUFFERSIZE.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-38545 to this issue.
CWE-122: Heap-based Buffer Overflow
Severity: High
HackerOne: https://hackerone.com/reports/2187833
AFFECTED VERSIONS
- Affected versions: libcurl 7.69.0 to and including 8.3.0
- Not affected versions: libcurl < 7.69.0 and >= 8.4.0
- Introduced-in: https://github.com/curl/curl/commit/4a4b63daaa
libcurl is used by many applications, but not always advertised as such!
SOLUTION
Starting in curl 8.4.0, curl no longer switches to local resolve mode if the name is too long but is instead rightfully returning an error.
- Fixed-in: https://github.com/curl/curl/commit/fb4415d8aee6c1
Patch collection for older versions
RECOMMENDATIONS
A - Upgrade curl to version 8.4.0
B - Apply the patch to your local version
C - Do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl
D - Do not set a proxy environment variable to socks5h://
TIMELINE
This issue was reported to the curl project on September 30, 2023. We contacted distros@openwall on October 3, 2023.
libcurl 8.4.0 was released on October 11 2023, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Jay Satiro
- Patched-by: Jay Satiro
Thanks a lot!
Related news
Red Hat Security Advisory 2024-0797-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include HTTP request smuggling, buffer overflow, denial of service, and memory leak vulnerabilities.
Apple Security Advisory 01-22-2024-7 - macOS Monterey 12.7.3 addresses code execution vulnerabilities.
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
Red Hat Security Advisory 2023-7626-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 is now available. Issues addressed include buffer overflow, denial of service, information leakage, and integer overflow vulnerabilities.
An issue exists in SoftIron HyperCloud where compute nodes may come online immediately without following the correct initialization process. In this instance, workloads may be scheduled on these nodes and deploy to a failed or erroneous state, which impacts the availability of these workloads that may be deployed during this time window. This issue impacts HyperCloud versions from 2.0.0 to before 2.0.3.
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Ubuntu Security Notice 6429-3 - USN-6429-1 fixed vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 23.10. Jay Satiro discovered that curl incorrectly handled hostnames when using a SOCKS5 proxy. In environments where curl is configured to use a SOCKS5 proxy, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that curl incorrectly handled cookies when an application duplicated certain handles. A local attacker could possibly create a cookie file and inject arbitrary cookies into subsequent connections.
Red Hat Security Advisory 2023-5763-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a buffer overflow vulnerability.
Red Hat Security Advisory 2023-5700-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a buffer overflow vulnerability.
This Tech Tip outlines how enterprise defenders can mitigate the risks of the curl and libcurl vulnerabilities in their environments.
By Waqas The company has issued security patches for two vulnerabilities. This is a post from HackRead.com Read the original post: Critical Security Vulnerabilities in Curl Patched, Users Advised to Upgrade
Patches have been released for two security flaws impacting the Curl data transfer library, the most severe of which could potentially result in code execution. The list of vulnerabilities is as follows - CVE-2023-38545 (CVSS score: 7.5) - SOCKS5 heap-based buffer overflow vulnerability CVE-2023-38546 (CVSS score: 5.0) - Cookie injection with none file CVE-2023-38545 is the more severe of the
Touted for days as potentially catastrophic, the curl flaws only impact a narrow set of deployments.
Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.
Debian Linux Security Advisory 5523-1 - Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool.
Ubuntu Security Notice 6429-1 - Jay Satiro discovered that curl incorrectly handled hostnames when using a SOCKS5 proxy. In environments where curl is configured to use a SOCKS5 proxy, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that curl incorrectly handled cookies when an application duplicated certain handles. A local attacker could possibly create a cookie file and inject arbitrary cookies into subsequent connections.
The maintainers of the Curl library have released an advisory warning of two forthcoming security vulnerabilities that are expected to be addressed as part of updates released on October 11, 2023. This includes a high severity and a low-severity flaw tracked under the identifiers CVE-2023-38545 and CVE-2023-38546, respectively. Additional details about the issues and the exact version ranges