Executive Summary
On October 4, a high-severity security vulnerability was reported and fixed in curl. The vulnerability, CVE-2023-38545, was associated with a severe heap overflow during the SOCKS5 proxy handshake process, impacting both the libcurl and the curl tool.
This article whirls around a detailed analysis of the issue, its cause, its potential risks, and how it has been addressed, presenting a comprehensive overview of measures that developers can adopt to ensure this flaw does not creep into their systems.
Introduction
Curl is an integral tool and library for transferring data through various protocols. Its widespread use makes it a critical aspect for numerous applications, contributing extensively to internet communication. However, similar to any software, curl is susceptible to security problems. One such issue of significant concern was the heap overflow vulnerability in the SOCKS5 proxy handshake.
Vulnerability summary
CVE-2023-38545 is associated with a heap overflow mishap during the SOCKS5 proxy handshake.
- As CURL was designed to pass the hostnames to the SOCKS5 proxy for resolution instead of doing it independently, a hostname could only be a maximum of 255 bytes long.
- However, due to a bug, a slow SOCKS5 handshake could assign an incorrect value to the local variable, leading curl to copy an overly long hostname to the target buffer instead of just the resolved address, causing heap overflow.
- The heap overflow was introduced when the SOCKS5 handshake code was restructured from a blocking function into a non-blocking state machine.
- While this evolution made the handshake more efficient for parallel transfers over SOCKS5, it exposed a critical security gap visible only when a SOCKS5 server was slow or the hostname was too long.
Why it matters
- The overflow requires a specific set of conditions - the hostname used has to be longer than the libcurl’s target buffer, the SOCKS5 handshake has to be slow enough to trigger the bug, and the client has to be using curl’s automatic redirect-following.
- An attacker could exploit this vulnerability by controlling an HTTPS server and manipulating a client using libcurl to access it over a SOCKS5 proxy. A buffer overflow could be incurred by carefully crafting a URL and redirecting libcurl to it, leading to severe security compromise.
- Successful exploitation of this vulnerability could, furthermore, lead to arbitrary code execution and unauthorized access to sensitive data.
Steps taken to fix this bug
- To address this vulnerability, curl no longer switches to local resolution mode if the hostname length exceeds the limit. Instead, it now returns an error code, effectively preventing buffer overflows. This was implemented starting from curl version 8.4.0.
- A dedicated test case was also created to ensure this issue was not repeated, a priceless step in bolstering the project’s automated testing suite. The repository also includes a commit addressing this issue specifically.
Recommendations
- Upgrade to curl 8.4.0 or later, where this vulnerability has been addressed.
- Apply the patches made available for older versions.
- Avoid using CURLPROXY_SOCKS5_HOSTNAME proxies with curl where possible.
- Do not set proxy environment variables to use the socks5h:// scheme.
The bottom line
Keeping apps and systems secure is a continual process of tackling new vulnerabilities as they come to light. In the case of CVE-2023-38545, prompt action was taken to mitigate potential harm effectively. Regular updates and awareness of security advisories can play a pivotal role in maintaining the security of systems dependent on the curl project.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/aad5_shutterstock_1535589089.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/b175_shutterstock_61230736.jpg)
