IM
IronMonkey Threat Research

CVE-2023-38545 CRITICAL

Published: 2023-10-18 | Last Modified: 2026-05-12 | Status: Modified

Description

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

Additional Descriptions (1)

Esta falla hace que curl desborde un búfer basado en el protocolo de enlace del proxy SOCKS5. Cuando se le pide a curl que pase el nombre de host al proxy SOCKS5 para permitir que resuelva la dirección en lugar de que lo haga curl mismo, la longitud máxima que puede tener el nombre de host es 255 bytes. Si se detecta que el nombre de host es más largo, curl cambia a la resolución de nombres local y en su lugar pasa solo la dirección resuelta. Debido a este error, la variable local que significa "dejar que el host resuelva el nombre" podría obtener el valor incorrecto durante un protocolo de enlace SOCKS5 lento y, contrariamente a la intención, copiar el nombre del host demasiado largo al búfer de destino en lugar de copiar solo la dirección resuelta allí. El búfer de destino es un búfer basado en montón y el nombre de host proviene de la URL con la que se le ha dicho a curl que opere.

CVSS Metrics

Base Score: 9.8 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-787
134c704f-9b21-4f2e-91b3-4a467353bcc0 Secondary
en CWE-787

Affected Products

Vendor Product Version Update Type
haxx libcurl * <built-in method update of dict object at 0x702b83f2f740> Application
fedoraproject fedora 37 <built-in method update of dict object at 0x702bde536080> Operating System
netapp active_iq_unified_manager - <built-in method update of dict object at 0x702ba6edb940> Application
netapp active_iq_unified_manager - <built-in method update of dict object at 0x702ba6ed9300> Application
netapp oncommand_insight - <built-in method update of dict object at 0x702b83f2d580> Application
netapp oncommand_workflow_automation - <built-in method update of dict object at 0x702b83f2fe00> Application
microsoft windows_10_1809 * <built-in method update of dict object at 0x702ba6eda500> Operating System
microsoft windows_10_21h2 * <built-in method update of dict object at 0x702b80ad8b00> Operating System
microsoft windows_10_22h2 * <built-in method update of dict object at 0x702bde536a80> Operating System
microsoft windows_11_21h2 * <built-in method update of dict object at 0x702b83f2d480> Operating System
microsoft windows_11_22h2 * <built-in method update of dict object at 0x702ba6ed9500> Operating System
microsoft windows_11_23h2 * <built-in method update of dict object at 0x702bde535500> Operating System
microsoft windows_server_2019 * <built-in method update of dict object at 0x702bde166880> Operating System
microsoft windows_server_2022 * <built-in method update of dict object at 0x702ba6ed8580> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Yes cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Yes cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Yes cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*

References

Notification
Message here