Finite State Blog

Recent cURL Vulnerabilities & Proactive Software Supply Chain Security

Written by Larry Pesce | Oct 6, 2023 7:37:11 PM

UPDATE 10/11/23: Today is the day, and the embargo is over!  Here’s what we now know, specifically about CVE-2023-38545:

Daniel Stenberg has officially noted that CVE-2023-38545 does deserve a classification of HIGH, and indicates that users should upgrade, patch immediately.  

Specifically the HIGH-rated CVE is related to a heap-based overflow when a hostname longer than 255 bytes and a SOCKS5 proxy is defined and used by cURL. The vulnerability can be triggered when certain conditions are met for the use of a SOCKS5 proxy, including those defining CURLOPT_BUFFERSIZE, CURL_PROXY,  CURL_PRE_PROXY, or using environment variables for the socks5h:// scheme for libcurl.  Alternatively, cURL can be affected when --socks5-hostname, --proxy or --preproxy are used as command line options.

Original Post (10/6/23):

At Finite State, we center our approach around remaining proactive, ensuring that security is not just a response but a preemptive measure. We are closely monitoring the ongoing dialogue surrounding cURL/libcurl, and the unfolding scenario of a recent, yet undisclosed cURL vulnerability.

cURL, a recent vulnerability history 

In the past few months, we’ve seen a surge in identified vulnerabilities, beginning with CVE-2022-42915 and CVE-2022-43552, which raised valid concerns but were swiftly addressed. However, the emergence of CVE-2020-19909, boasting a CVSS score of 9.8, has stirred a considerable debate in the cybersecurity landscape.

Daniel Stenberg, the cURL author and maintainer, has pointedly questioned the CVSS scoring methodology applied to CVE-2020-19909 in his insightful blog post. A score of 9.8 is alarming and suggests a catastrophic impact, yet, as Stenberg notes, the vulnerability might not warrant such a heightened level of concern. It is surmised that the CVSS scoring was seemingly inflated due to the mention of the word “overflow,” highlighting potential systemic issues in vulnerability assessment metrics. Stenberg goes on to assign a specific “LOW” cURL project defined rating for the same vulnerability, noting the actual limited impact, and that it had been easily remediated nearly a year prior.

A reversal of fortune?

As we continue to examine these developments, we're confronted with yet another vulnerability, currently under embargo but assigned a HIGH CVE severity rating (CVE-2023-38545) and a yet unknown rating by Stenberg. Although details are sparse, due to the embargo, the revelation is that this vulnerability (or another assigned a LOW (CVE-2023-38546) priority by Stenberg) was introduced approximately 8000 days ago. However, it is currently unclear whether it was the HIGH or LOW cURL project rating vulnerability that has been present for nearly 21 years. Regardless, the presence of a vulnerability over an extended period of time accentuates the need for continuous and comprehensive security assessments. Ongoing discussion from Steinberg can be found at the cURL GitHub repository.

An eye to the future

Recognizing the indispensable role that cURL plays in automotive, medical, ICS/OT and even consumer IoT markets, its near-ubiquitous use within thousands of applications and systems makes vulnerabilities in cURL/libcurl a collective concern.

SBOMs are designed to provide real-time insights and comprehensive analysis, enabling organizations to identify and mitigate potential security threats. In light of the recent cURL vulnerabilities, and those slated for release in the near future, accurate SBOMs enhanced with vulnerability intelligence allow us valuable insights into the software supply chain. Observing where cURL/libcurl is used across development efforts, we can become informed and equipped with actionable intelligence to address these security challenges.

We are actively collaborating with the broader security community to ascertain the depth and breadth of this newly identified “high rating, under embargo” vulnerability. Given the priority placed on the upcoming vulnerability by cURL’s author, organizations utilizing vulnerable versions of cURL must rapidly identify and transition to secure alternatives, mitigating potential security risks. These vulnerable versions will likely include those before version 8.4.0 (the version slated for release on October 11th, 2023).

In conclusion, while we await detailed information on the latest cURL vulnerability, this unfolding scenario accentuates the value of proactive security measures, including those taking stock of our software supply chain in advance of issues.

Stay tuned for detailed insights and actionable intelligence as we continue to unravel the intricate tapestry of the recent cURL vulnerabilities.