A nasty bug was found in the widely used Linux utility curl, known well by programmers and system administrators.
The shell command and associated library, known as libcurl, can be used to transfer data over almost every network protocol and is used in desktops, servers, clouds, cars, and pretty much every IoT device ever, with an estimated 20 billion instances of use.
A security bug, CVE-2023-38545, was found, which can be invoked using the SOCKS5 proxy protocol.
Linux users have been warned to be vigilant and look our for patches, with the majority already having released a patch.
Tim West, Global Head of Threat Intelligence & Jake Knott, Security Consultant, WithSecure comment:
“Initially the vulnerability in curl/libcurl was announced with commentary that it was probably the worst security flaw in Curl in a long time and that the patch release cycle was being cut short, causing some alarm within the security community.
On balance this alarm was justified due to aforementioned commentary and the fact that significant bugs in software libraries are notoriously difficult to detect if and where they are used in enterprise software packages. These issues get more serious still where they are present in applications that are internet accessible – rather expected of libcurl. This was the case for Log4J, which was so severe as it presented such a broad attack surface.
In this case, the vuln seems to be related to SOCKS5 local DNS resolution where hostname > 255 chars. This appears to limit the attack surface to implementations where SOCKS is in use, and for an attacker to control the hostname or redirect of a page (although this may be achieved with a 0 click method using prefetch functionality in applications that uses CURL). It does make for a bunch of interesting exploit scenarios, but as far as we can currently tell – nothing internet melting, and a far cry from the tagline ‘curlmageddon’ that some had assigned to the vulnerability.”