Discovery of a disastrous bug in the curl Linux utility, and deployment of fixes

Estimated read time 5 min read

  Discovery of a disastrous bug in the curl Linux utility, and deployment of fixes

For the most part, Linux users don’t know what curl is. On the other hand, programmers and system administrators are familiar with this utility.


This shell command and its associated library, libcurl, are used to transfer data over network protocols, and they are used in desktops, servers, cloud instances, cars, televisions, routers and virtually all Internet of Things (IoT) devices. The developers of Curl estimate that it is used in more than twenty billion instances. And here comes a potentially very unpleasant security bug, CVE-2023-38545.


How so? The main developer of Curl, Daniel Stenberg, wrote in a blog post that this is “the worst security problem discovered in curl in a long time” He is well placed to know it. Security experts agree. In a word, it’s not good at all.

Possible for remote code execution


As Saeed Abbasi, product manager of Qualys’ threat research unit, warned:


Organizations must act quickly to inventory, analyze and update all systems using curl and libcurl. The severity of this vulnerability requires immediate attention to protect interconnected and web-sensitive applications, ensuring that the rich data transfer features provided by curl and libcurl remain intact and secure.


Specifically, the security flaw can be invoked when someone uses the SOCKS5 proxy protocol. This fairly simple protocol establishes a network communication via a dedicated “intermediary”. The protocol is used to communicate via Tor, the open-source internet software used to allow anonymous communications and to access the internet from inside organizations and companies in a private way. Some virtual private networks (VPNs), such as NordVPN and Hide.Me , use it to allow their users to bypass Internet content blocks and guarantee their anonymity.

Mr. Steinberg said: “A Tor user (who normally uses SOCKS5) going to an HTTPS site that has been the subject of a breach or a similar problem” is the most likely to fall into this security flaw.


CVE-2023-38545 is a memory overflow flaw. It can be exploited for remote code execution. There are already proofs of concept showing how an attack could be carried out using the curl flaw. The security vulnerability was introduced in February 2020 and affects libcurl versions ranging from 7.69.0 to 8.3.0 inclusive.

A real embarrassment for the developer

Steinberg is embarrassed by his mistake:


Reading the code now, it is impossible not to see the bug. Yes, it really hurts to have to accept the fact that I made this mistake without realizing it and that the flaw then remained undiscovered in the code for 1315 days. I apologize for that. I’m just a human. … In hindsight, delivering an overflow flaw in a code installed in more than twenty billion instances is not an experience that I would recommend.


Not everyone thinks this is a big problem. Bill Demirkapi, a member of the Vulnerability and Mitigation team at the Microsoft Security Response Center, tweeted on Twitter, alias X, “The ‘worst security problem discovered in curl in a long time’ is only accessible if the victim uses a SOCKS5 proxy & connects to a dishonest server or suffers a MitM attack [Man in the Middle] ? (I’m going to go back to sleep).”


Less sarcastically, the company JFrog, which specializes in the software supply chain, remarked the following:


We can confidently assume that this vulnerability will be exploited for remote code execution. However, the set of prerequisites necessary for a machine to be vulnerable is more restrictive than initially thought. Therefore, we believe that the vast majority of curl users will not be affected by this vulnerability.


To be precise, the necessary prerequisites for the problem to turn into a real curl security problem are as follows:

  1. The curl request is performed via socks5h.
  2. The trading buffer the curl machine is less than ~65k.
  3. The “hello” response from the SOCKS server is delayed.


  4. The attacker sets a final destination hostname larger than the negotiation buffer.


That’s a lot of prerequisites.

An intelligent strategic decision


Nevertheless, given the wide use of Curl in various operating systems, applications and IoT devices, Steinberg’s announcement of the problem was a smart strategic decision. She gave organizations enough time to audit their systems, identify all the curl and libcurl instances in use, and develop a comprehensive company-wide remediation plan.


The curl project did not stop there; information about the flaws was simultaneously shared with the developers of various Linux, Unix and Unix-like distributions. This collaborative approach ensured that the patches and updated packages were ready before the official release of curl v8.4.0.


The curl project and I therefore strongly recommend that users update to version 8.4.0 of curl/libcurl or apply the patches to earlier versions in order to mitigate the risks associated with these vulnerabilities.


Since libcurl/curl is a default component in many Linux distributions and is embedded in many container images, Linux users should be vigilant and monitor the versions released by these vendors. Most of the major Linux distributors have already released the patches.


Source: “ZDNet.com “

You May Also Like

More From Author