--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Vulnerability in cURL and libcurl' version: '1.0' number: '2023-076' original_date: 'October 11, 2023' date: 'October 11, 2023' --- _History:_ * _11/10/2023 --- v1.0 -- Initial publication_ # Summary A security vulnerability in the cURL tool and libcurl library has been identified [1]. This flaw enables a heap-based buffer overflow during the SOCKS5 proxy handshake, potentially allowing malicious actors to execute arbitrary code (RCE). At this time, CERT-EU is not aware of any active exploits leveraging this vulnerability. The vulnerability affects libcurl versions 7.69.0 to 8.3.0. The issue was reported on September 30, 2023, and a patch has been released in curl version 8.4.0. The vulnerability is tracked as `CVE-2023-38545`. # Technical Details The vulnerability arises from a bug in curl's handling of hostnames during the SOCKS5 proxy handshake. When instructed to forward the hostname to the SOCKS5 proxy for resolution, curl has a maximum limit of 255 bytes. If a hostname longer than this is encountered, a bug may cause the program to mistakenly copy the entire hostname to the target buffer, instead of just the resolved address. For the vulnerability to be exploitable, the application must use `socks5h` proxy as described below. In libcurl : - `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or: - `CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://` - One of the proxy environment variables can be set to use the `socks5h://` scheme. For example `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`. In cURL tool : - `--socks5-hostname`, or: - `--proxy` or `--preproxy` set to use the scheme `socks5h://` - Environment variables as described in the libcurl section. It also requires that the victim access an attacker controlled website. # Affected Products - libcurl to 7.69.0 to 8.3.0 Note: Versions prior to 7.69.0 are **not affected**. # Recommendations While CERT-EU assess the exploitability of this vulnerability as low, CERT-EU recommends updating to cURL 8.4.0. As cURL and libcurl are being used by a large variety of operating systems and applications, CERT-EU recommends prioritising the patching on public facing applications, and especially those accepting arbitrary user inputs, and critical systems. # References [1]