Developers of the popular open-source software application and library, curl, have recently addressed two vulnerabilities in the widely used command-line tool. One of the flaws is considered highly severe and has the potential to be exploited by malicious servers to execute malicious code on systems that use curl under specific conditions.
Curl, short for “client for URL,” is a cross-platform and portable command-line tool that facilitates the transfer of data or files to and from URLs. With a history dating back 27 years, it supports various internet communication protocols and technologies, including DICT, FTP, FTPS, Gopher, HTTP 1/2/3, HTTP proxy tunneling, HTTPS, IMAP, Kerberos, LDAP, MQTT, POP3, RTSP, RTMP, SCP, SMTP, and SMB. In addition to the command-line tool, curl also offers a library known as libcurl, which can be integrated into other applications to leverage its functionality.
Daniel Stenberg, the maintainer of curl, recently announced that an important security patch would be released on October 11 to address what he described as “probably the worst curl security flaw in a long time.” Tracked as CVE-2023-38545, this flaw is categorized as a heap buffer overflow and affects curl versions 7.69.0 to 8.3.0. The issue was effectively addressed in the newly released version 8.4.0, which became available on Wednesday.
The second vulnerability, known as CVE-2023-38546, only affects libcurl and allows for arbitrary cookie injection into programs that utilize the library. However, this flaw is considered to be of low severity, indicating that its impact is relatively less significant.
A buffer overflow vulnerability occurs when a program writes data in a memory buffer, surpassing the intended size of the buffer and overwriting data in adjacent memory regions. As a result, buffer overflows can result in application crashes or, in some cases, enable the execution of arbitrary code. CVE-2023-38545 demonstrates this behavior, and while proof-of-concept exploits have only shown denial of service scenarios to date, researchers anticipate that code execution will likely be achieved in the future. Fortunately, only specific configurations of the tool are vulnerable to this flaw, and they are not enabled by default.
In conclusion, the developers of curl have promptly addressed two vulnerabilities in their widely used command-line tool. The severity of these flaws varies, with the first being classified as highly severe and posing a significant risk of code execution if exploited. The second vulnerability has a lower severity but still warrants attention. Users are strongly advised to update to the latest version of curl to mitigate these security risks effectively.