Comment on Curl vulnerability
October 2023 by Pieter Danhieux, Co-Founder and CEO at Secure Code Warrior
Following the patch notes on the Curl vulnerability this morning I have a comment from Pieter Danhieux, Co-Founder and CEO at Secure Code Warrior. Last week Snyk published a Curl and ranked it as a high severity vulnerability which could leave nearly all Linux systems vulnerable to attack.
"The security community has been waiting with bated breath for the better part of a week to find out the next steps in navigating a pair of high-severity vulnerabilities that exist in affected versions of the Curl library. With the patch officially out, many of us had our suspicions of a serious remote code execution flaw confirmed. Sadly, Curl has seen a few serious security issues before, despite doing security audits and bug bounties.
This dependency is widely regarded as a foundational pillar of the internet, and there is no getting around that if successfully leveraged, we are at increased general risk online as a result. There are similarities with the devastating Log4Shell attack in Log4j, another vulnerable dependency that is still being exploited almost two years later.
The vulnerability is known as a Heap-based buffer overflow, which is quite an old software vulnerability by any measure. However, perhaps the one shield of defense we have is that the communication must go through a SOCKS5 proxy, which, in my opinion, is not a very common deployment. However, security researchers - good and bad - tend to be highly creative, and with today’s disclosure of vulnerability information, will be pulling out all stops to find every avenue to mass-exploit these weaknesses through other means.
While there is no one failsafe method to eliminate all vulnerabilities in software, a code-level vulnerability of this nature could be stopped before entering production if developers were in a state of heightened security awareness on how to avoid these types of early-2000s bugs."