WithSecure comment: A nasty bug was found in the widely used Linux utility curl...
October 2023 by WithSecure™
A nasty bug was found in the widely used Linux utility curl, known well
by programmers and system administrators.
The shell command and associated library, known as libcurl, can be used
to transfer data over almost every network protocol and is used in
desktops, servers, clouds, cars, and pretty much every IoT device ever,
with an estimated 20 billion instances of use.
A security bug, CVE-2023-38545 , was found, which can be invoked
using the SOCKS5  proxy protocol.
Linux users have been warned to be vigilant and look our for patches,
with the majority already having released a patch.
Tim West, Global Head of Threat Intelligence & Jake Knott, Security
Consultant, WithSecure  comment:
_"Initially the vulnerability in curl/libcurl was announced with
commentary that it was probably the worst security flaw in Curl in a
long time and that the patch release cycle was being cut short, causing
some alarm within the security community. _
_On balance this alarm was justified due to aforementioned commentary
and the fact that significant bugs in software libraries are notoriously
difficult to detect if and where they are used in enterprise software
packages. These issues get more serious still where they are present in
applications that are internet accessible - rather expected of libcurl.
This was the case for Log4J, which was so severe as it presented such a
broad attack surface.
In this case, the vuln seems to be related to SOCKS5 local DNS
resolution where hostname > 255 chars. This appears to limit the attack
surface to implementations where SOCKS is in use, and for an attacker to
control the hostname or redirect of a page (although this may be
achieved with a 0 click method using prefetch functionality in
applications that uses CURL). It does make for a bunch of interesting
exploit scenarios, but as far as we can currently tell - nothing
internet melting, and a far cry from the tagline ’curlmageddon’ that
some had assigned to the vulnerability."