Carding 4 Carders
Professional
"I'm just a human being," the main developer of the project commented on his mistake.
Following a lively discussion about the security issues of the curl command-line data transfer tool , a new version was finally released today that addresses previously identified vulnerabilities.
Daniel Stenberg, founder and chief developer of the curl project, described the vulnerabilities as " probably the most serious curl security issues in a long time." These fixes address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546 .
CVE-2023-38545
The first vulnerability identified as CVE-2023-38545 has a high degree of severity and is a heap buffer overflow error that affects both libcurl and curl. Possible consequences include data corruption and even arbitrary code execution.
This vulnerability can occur during slow handshake of the SOCKS5 proxy server due to incorrect processing of hostnames longer than 255 bytes. When the hostname exceeds 255 bytes, curl switches to local resolution rather than allowing the proxy to resolve the hostname remotely.
"Due to an error, a local variable with the value "let the host resolve the name" may have received an incorrect value during a slow SOCKS5 confirmation and, contrary to the intention, copied an excessively long host name to the target buffer," the developer said.
The report also says that attackers could actually take advantage of this vulnerability by using a malicious HTTPS server that redirects to a URL that was created specifically to trigger a heap buffer overflow.
Applications that depend on libcurl versions 7.69.0 to 8.3.0 inclusive should upgrade to version 8.4.0 as soon as possible. Applications that do not have the preferred receive buffer size (CURLOPT_BUFFERSIZE) set, or those with it set to less than 65541 bytes, are particularly vulnerable.
The default configuration of the curl tool protects against this vulnerability, but applications that depend on libcurl may need to make manual changes. The developer also recommended not using the CURLPROXY_SOCKS5_HOSTNAME proxy and setting the proxy environment variable to the "socks5h://" schema.
"Reading the code now, it is impossible not to see the error. It really pains me to admit the fact that I made a mistake that then stayed in the code for 1315 days. I apologize. I'm just a human being, " the developer repents.
In version 8.4.0, Stenberg guarantees that the utility returns an error if hostnames longer than 255 bytes are detected.
CVE-2023-38546
The second vulnerability under the CVE identifier-2023-38546 — it's less dangerous now. It is related to cookie injection and only affects libcurl.
The developer separately noted that the probability that attackers could fulfill a number of conditions necessary to launch the vulnerability CVE-2023-38546 is low. But even if they did, the risk of a cookie-based attack on the user's security is still low.
The affected versions are libcurl from 7.9.1 to 8.3.0 inclusive. Users are advised to upgrade to curl 8.4.0 as soon as possible and call "curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL");" after each call to "curl_easy_duphandle();".
Reflections on the future of the project
Daniel Stenberg acknowledged that similar bugs in curl would not have existed if the tool had been written in a more secure programming language with more memory, rather than the legacy C language. However, there are no plans to switch to another language yet. This is due to possible difficulties and limited developer resources. Stenberg stressed that curl development will continue in C for the foreseeable future.
"Anyone who doesn't like it can roll up their sleeves and start developing on their own," Stenberg added.
Following a lively discussion about the security issues of the curl command-line data transfer tool , a new version was finally released today that addresses previously identified vulnerabilities.
Daniel Stenberg, founder and chief developer of the curl project, described the vulnerabilities as " probably the most serious curl security issues in a long time." These fixes address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546 .
CVE-2023-38545
The first vulnerability identified as CVE-2023-38545 has a high degree of severity and is a heap buffer overflow error that affects both libcurl and curl. Possible consequences include data corruption and even arbitrary code execution.
This vulnerability can occur during slow handshake of the SOCKS5 proxy server due to incorrect processing of hostnames longer than 255 bytes. When the hostname exceeds 255 bytes, curl switches to local resolution rather than allowing the proxy to resolve the hostname remotely.
"Due to an error, a local variable with the value "let the host resolve the name" may have received an incorrect value during a slow SOCKS5 confirmation and, contrary to the intention, copied an excessively long host name to the target buffer," the developer said.
The report also says that attackers could actually take advantage of this vulnerability by using a malicious HTTPS server that redirects to a URL that was created specifically to trigger a heap buffer overflow.
Applications that depend on libcurl versions 7.69.0 to 8.3.0 inclusive should upgrade to version 8.4.0 as soon as possible. Applications that do not have the preferred receive buffer size (CURLOPT_BUFFERSIZE) set, or those with it set to less than 65541 bytes, are particularly vulnerable.
The default configuration of the curl tool protects against this vulnerability, but applications that depend on libcurl may need to make manual changes. The developer also recommended not using the CURLPROXY_SOCKS5_HOSTNAME proxy and setting the proxy environment variable to the "socks5h://" schema.
"Reading the code now, it is impossible not to see the error. It really pains me to admit the fact that I made a mistake that then stayed in the code for 1315 days. I apologize. I'm just a human being, " the developer repents.
In version 8.4.0, Stenberg guarantees that the utility returns an error if hostnames longer than 255 bytes are detected.
CVE-2023-38546
The second vulnerability under the CVE identifier-2023-38546 — it's less dangerous now. It is related to cookie injection and only affects libcurl.
The developer separately noted that the probability that attackers could fulfill a number of conditions necessary to launch the vulnerability CVE-2023-38546 is low. But even if they did, the risk of a cookie-based attack on the user's security is still low.
The affected versions are libcurl from 7.9.1 to 8.3.0 inclusive. Users are advised to upgrade to curl 8.4.0 as soon as possible and call "curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL");" after each call to "curl_easy_duphandle();".
Reflections on the future of the project
Daniel Stenberg acknowledged that similar bugs in curl would not have existed if the tool had been written in a more secure programming language with more memory, rather than the legacy C language. However, there are no plans to switch to another language yet. This is due to possible difficulties and limited developer resources. Stenberg stressed that curl development will continue in C for the foreseeable future.
"Anyone who doesn't like it can roll up their sleeves and start developing on their own," Stenberg added.
