Developers of open-source tool curl has announced the release of fixes for two vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
Curl, a command-line tool for data transfer supporting various network protocols, plays a vital role in countless applications, with over 20 billion installations worldwide. Its underlying library, libcurl, also serves as a backbone for web-aware applications, making it an essential component of the internet ecosystem.
The high-severity vulnerability tracked as CVE-2023-38545 affects both curl and libcurl, potentially allowing a heap buffer overflow in the SOCKS5 proxy handshake. This flaw could be exploited under specific conditions and poses a significant security risk.
The other low-severity vulnerability tracked as CVE-2023-38546 pertains to a cookie injection issue within libcurl, offering attackers the ability to insert cookies into a running program.
Attackers may integrate such vulnerabilities into automated tools, malware, and bots, enabling automatic exploitation across various systems and applications. The exploitation involves using a slow SOCKS5 handshake and a specifically crafted URL. It’s conceivable that the technical barrier might not be excessively high for attackers with a certain level of expertise.
The release of curl 8.4.0 aims to address these vulnerabilities, primarily focusing on CVE-2023-38545. This update ensures that curl no longer switches to local resolve mode if a hostname is too long, thus mitigating the risk of heap buffer overflows.