Full Report
Detect and mitigate CVE-2023-38545, a high severity buffer overflow vulnerability in cURL. Organizations should upgrade to the patched version.
Analysis Summary
# Vulnerability: Heap Buffer Overflow in cURL SOCKS5 Proxy Handshake (CVE-2023-38545)
## CVE Details
- CVE ID: CVE-2023-38545
- CVSS Score: Information not explicitly provided, but described as **high severity**.
- CWE: Heap-based Buffer Overflow
## Affected Systems
- Products: libcurl, applications utilizing libcurl
- Versions: 7.69.0 up to and including 8.3.0
- Configurations: Application must be using a SOCKS5 proxy and configured to forward the hostname for address resolution (`CURLPROXY_SOCKS5_HOSTNAME`).
## Vulnerability Description
This flaw is a heap-based buffer overflow occurring during the SOCKS5 proxy handshake when `curl` is configured to forward the hostname to the proxy for DNS resolution. When an excessively long hostname (over 255 bytes) is provided, a bug causes an incorrect value to be set in a local variable during a slow handshake. This results in the entire long hostname being copied into a target buffer instead of just the resolved address, leading to a heap buffer overflow.
## Exploitation
- Status: Currently **not aware of any Remote Code Execution exploit available**. Likelihood of malicious exploitation across the wild is assessed as relatively **low** given the memory corruption nature, likely leading only to DoS.
- Complexity: Assessed as potentially **Medium** (due to memory corruption challenge), but exploitation beyond DoS may be difficult.
- Attack Vector: Network (via crafted URL/proxy interaction)
## Impact
- Confidentiality: Undetermined/Potential
- Integrity: Undetermined/Potential (Memory corruption)
- Availability: High (Denial of Service possible)
## Remediation
### Patches
- Upgrade **cURL to version 8.4.0 or newer**.
### Workarounds
1. Do not use `CURLPROXY_SOCKS5_HOSTNAME` proxies with curl.
2. Do not set a proxy environment variable to `socks5h://`.
3. **For Windows users:** Wait for an official Microsoft patch, as manual patching may interfere with Windows updates.
## Detection
- Indicators of compromise: Application crashes or unexpected behavior when communicating via a SOCKS5 proxy with long hostnames passed to the proxy server.
- Detection methods and tools: Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances utilizing libcurl.
## References
- Vendor advisories: curl.se/docs/CVE-2023-38545.html
- Relevant links - defanged:
- twitter com/bagder/status/1709103920914526525
- github com/curl/curl/discussions/12026
- daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/