Image: Waleed Khan (unsplash)
Two vulnerabilities, CVE-2023-38545 and CVE-2023-38546, were discovered in curl, an integral open-source software for URL-based data transfers. These vulnerabilities are expected to be publicly disclosed on Wednesday, October 11.
Daniel Stenberg, the main developer behind curl, conveyed that one of these vulnerabilities stands out as a significant security flaw in the curl project’s history.
Curl, a command-line tool, and its counterpart, libcurl, a client-side URL transfer library, are products of the curl project. This project has seen contribution and sponsorship from various parties. These tools are widely adopted, enabling data transfer across multiple network protocols. Their usage ranges from cars, televisions, mobile devices, and more, emphasizing the software’s broad footprint across multiple devices and industries.
The upcoming release, curl v8.4.0, aims to address:
- CVE-2023-38545, a high-severity flaw impacting both libcurl and curl.
- CVE-2023-38546, a less critical issue, exclusively affecting libcurl.
Stenberg chose not to delve deep into the specifics of these vulnerabilities. However, he did mention that the forthcoming 8.4.0 release would maintain the existing API and ABI structures.
Owing to curl’s ubiquity in Linux systems, the project’s team has already intimated Linux developers about the vulnerabilities, urging them to have patches ready for swift deployment after curl 8.4.0 becomes available.
The widespread adoption of curl and libcurl makes it crucial for system administrators and organizations to be proactive. Immediate measures include identifying systems using these tools, strategizing on patch implementations, and staying updated with patch releases.
Saeed Abbasi from Qualys Threat Research Unit shared insights with Help Net Security, highlighting the benefits of the unchanged API/ABI in the forthcoming release. This consistency expedites the patching process, reducing potential risks swiftly, and ensures compliance without instigating new audit requirements. However, the challenge emerges with Docker images, many of which may need rebuilding due to their own versions of the curl library. Jonathan Roberts of Docker emphasized the importance of using Docker Scout for tracking curl dependencies.
Endor Labs’ Henrik Plate shared concerns about the likely exploitation methods of the vulnerabilities. Developers must pay close attention, especially when the URLs fed into curl come from external, possibly untrusted sources. Implementing patches, tightening access controls, and deploying other protective measures become critical.
Another complexity arises from the diverse installation methods for the curl command line tool, including through package managers or direct downloads, which might obscure its usage.
Mike McGuire of Synopsys stressed the importance of vigilance. He emphasized that while addressing vulnerabilities, organizations should be wary of deceptive ‘fixed’ versions potentially embedded with malware.
Ax Sharma, a security researcher with Sonatype, drew a distinction between this vulnerability and other notorious ones like Log4j. While many use curl as a command-line utility, its embedding often occurs at an OS level, simplifying the update process. However, a key area of focus should be docker base images that might be overlooking updates and using the vulnerable libcurl.
In summary, the emphasis is on prompt action – implementing patches as soon as they are available and being mindful of potential risks.