Developer Warns for High Severity Vulnerability in libcurl and cURL

Author and maintainer of cURL, Daniel Stenberg (online alias bagder) has published a warning note regarding the shipment of cURL version 8.4.0 scheduled for October 11, which will contain the security fix for the high-severity vulnerability in cURL and libcurl. 

The vulnerability dubbed CVE-2023-38545 is "the worst security problem found in curl in a long time,"  - the developer says.

The cURL developer has not yet disclosed many details about the specific nature of the flaw, as sharing more information at this stage could help attackers identify the root cause and exploit the vulnerability.

However, the developer has responsibly reported the issue and indicated that users should update to the latest version of cURL as soon as possible to patch the problem. 

Withholding certain technical aspects is a common practice to avoid exposing systems before a fix can be implemented. We will have to wait for the developer to share more specifics about the exact origin of the bug once the security update has been sufficiently rolled out.

I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The "last several years" of versions is as specific as I can get. -Stenberg  says.

According to the developer, this high-severity flaw will affect both the cURL and libcurl libraries. Additionally, there will be a fix for another vulnerability identified as CVE-2023-38546 is a severity-low vulnerability that affects libcurl only, not the tool. This vulnerability is less serious than CVE-2023-38545,

What is cURL and libcurl?

cURL (Client URL) is a command line tool that allows transferring data using various network protocols. It supports common internet protocols like HTTP, HTTPS, FTP, SFTP, SCP, SMTP, POP3, IMAP, etc. cURL is built on top of the libcurl library, which implements the various protocols and capabilities that cURL supports.

libcurl is an open source C library that enables client-side URL transfers. It handles the protocol details and allows programs to make network requests and receive responses via the supported protocols. libcurl is portable and can be used on many operating systems and platforms. 

The curl executable is a client that is built on top of the libcurl library to provide an easy-to-use tool for data transfers over networks using simple commands. Together cURL and libcurl provide a versatile toolset for transferring data to and from remote servers using internet protocols.

Am I vulnerable to CVE-2023-38545?

Answering this question is not possible. The reason for this is the extreme popularity of the cURL and libcurl open source tools that have been around for over 25 years. They are used in billions of applications (directly or indirectly) across many industries.

There is no definitive centralized list or registry of all projects and products that use cURL/libcurl. Their usage is widely dispersed. New products and scripts leveraging cURL/libcurl are frequently created. Keeping an updated global list would be impractical.

Almost every single internet connected device uses cURL or libcurl (directly or indirectly). This includes almost all Linux based OS and other OS, servers, printers, Android devices, cars, smart devices, all IoT devices, etc. 

This time we want to ask one question to the community. Tell us the technologies, platforms, or products where cURL is not used?😌

What else is affected?

One user asked Bagder, does the vulnerability also affect pycurl, python-pycurl etc?

He replied with the following statement -

"Yes it will. In general terms: everything that uses libcurl could theoretically use libcurl in a way that triggers this vulnerability, assuming that the conditions apply and that a vulnerable libcurl version is used. Of course some/many users will also use libcurl without being able to trigger the vulnerability."

"It is impossible for me to make affirmative statements about specific libcurl users now."

Update October 11 - Curl released a fix

Just now, the Curl team has released the Curl version 8.4.0, with the fix of both vulnerability CVE-2023-38545 and CVE-2023-38546. 

Initially, the developer says, "this time actually the worst security problem found in curl in a long time."

pretty much, yes. But this time actually the worst security problem found in curl in a long time.

— daniel:// stenberg:// (@bagder) October 3, 2023

It seems that the vulnerability is only exploitable if the victim is using a SOCKS5 proxy.