How to Safely Identify and Address Vulnerable Versions of Curl

Identifying and Remediating Vulnerabilities in cURL and libcurl

Introduction

The recent discovery of vulnerabilities in the command-line tool cURL and the libcurl library has raised concerns among security teams. While these vulnerabilities can only be exploited under specific conditions, it is crucial for organizations to take immediate action to protect their systems. In this report, we will discuss the nature of these vulnerabilities, provide guidance for security teams on identifying and remediating impacted systems, and emphasize the importance of diligent software tracking and security updates.

The Vulnerabilities

The high severity vulnerability, CVE-2023-38545, affects cURL and libcurl versions 7.69.0 to 8.3.0. The low severity vulnerability impacts libcurl versions 7.9.1 to 8.3.0. However, default conditions prevent these vulnerabilities from being exploited. An attacker would need to meet several specific requirements, such as pointing cURL at a malicious server, configuring cURL to use a SOCKS5 proxy in proxy-resolver mode, and setting the buffer size to a smaller size.

According to Yair Mizrahi, a senior security researcher at JFrog, the libcurl library is vulnerable only if certain environment variables are set. Similarly, the command-line tool cURL is vulnerable if executed with specific flags or affected environment variables. Mizrahi stated that due to the restrictive set of pre-conditions required for a machine to be vulnerable, the majority of cURL users are unlikely to be affected by these vulnerabilities.

Identifying Impacted Systems

Organizations must begin by scoping their environments and identifying all systems that use cURL and libcurl. This includes inventorying systems, assessing software delivery processes, and scanning containers and applications. Alex Ilgayev, head of security research at Cycode, suggests using software composition analysis tools and application security posture management utilities to evaluate the software environment.

To identify which versions of cURL are installed, the following commands can be used:

• Linux/MacOS: find / -name curl 2>/dev/null -exec echo "Found: {}" \; -exec {} --version \;
• Windows: Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Filter curl.exe | ForEach-Object { Write-Host "Found: $($_.FullName)"; & $_.FullName --version }

GitHub provides queries to run in Defender for Endpoint, while Qualys offers rules for using its platform to identify devices with cURL installed. For organizations using Docker containers, scanning the images for vulnerable versions is essential. Docker has published instructions on assessing the images.

Henrik Plate, a security researcher at Endor Labs, emphasizes the importance of maintaining meticulous records of all open source software used within an organization. A software bill of materials can serve as a starting point for identifying instances of cURL. John Gallagher, vice president of Viakoo Labs, suggests monitoring security updates from other applications as libcurl is commonly used by different operating systems and applications.

Remediating Vulnerabilities

Although these vulnerabilities may not be immediately exploitable, it is crucial to apply updates and patches to protect systems. Patches for cURL and libcurl are available directly, and many operating systems, such as Debian, Ubuntu, and Red Hat, have already pushed fixed versions. Security teams should also keep an eye out for security updates from other applications that use the libcurl library.

One workaround suggested by JFrog’s Mizrahi is to force cURL to use local hostname resolving when connecting to a SOCKS5 proxy. This can be achieved by using the syntax curl -x socks5://someproxy.com. In the libcurl library, replacing the environment variable “CURLPROXY_SOCKS5_HOSTNAME” with “CURLPROXY_SOCKS5″ is recommended.

Benjamin Marr, a security engineer at Intruder, advises security teams to monitor cURL flags for excessive large strings, which could indicate a compromised system. Flags such as “–socks5-hostname” or “–proxy” and “–preproxy” set to use the scheme “socks5h://” should be monitored closely.

Conclusion

Addressing the vulnerabilities in cURL and libcurl requires a proactive approach from security teams. By identifying and remediating impacted systems, maintaining comprehensive software tracking, and applying security updates and patches, organizations can reduce the risk of exploitation. It is essential for security teams to stay vigilant and prioritize the security of their software systems to protect sensitive data and maintain the trust of their users.