Heap-based Buffer Overflow Affecting curl package, versions [7.69.0,8.4.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-CURL-5931782
- published4 Oct 2023
- disclosed4 Oct 2023
- creditJay Satiro
Introduced: 4 Oct 2023
CVE-2023-38545 (opens in a new tab)How to fix?
Upgrade curl to version 8.4.0 or higher.
Overview
curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP. libcurl offers a myriad of powerful features.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the SOCKS5 proxy handshake process when the hostname is longer than the target buffer and larger than 255 bytes.
The local variable socks5_resolve_local could get the wrong value during a slow SOCKS5 handshake.
Since the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer.
This is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.
Exploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.
Note:
An overflow is only possible in applications that don't set CURLOPT_BUFFERSIZE or set it smaller than 65541.
Since the curl tool sets CURLOPT_BUFFERSIZE to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.
The options that cause SOCKS5 with remote hostname to be used in libcurl:
CURLOPT_PROXYTYPEset to typeCURLPROXY_SOCKS5_HOSTNAME, or:CURLOPT_PROXYorCURLOPT_PRE_PROXYset to use the schemesocks5h://One of the proxy environment variables can be set to use the
socks5h://scheme. For example,http_proxy,HTTPS_PROXYorALL_PROXY.
The options that cause SOCKS5 with remote hostname to be used in the curl tool:
--socks5-hostname,--proxyor--preproxyset to use the schemesocks5h://Environment variables as described in the libcurl section.
Changelog:
2023-10-04: Initial publication
2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.