curl – SOCKS5 heap buffer overflow – CVE-2023-38545
- Comments Off on curl – SOCKS5 heap buffer overflow – CVE-2023-38545
The Challenge: CVE-2023-38545
In the world of digital security, a formidable adversary has emerged – CVE-2023-38545. It exposes a critical heap buffer overflow in Curl’s SOCKS5 proxy handshake, demanding immediate action.
The Dilemma: How It Unfolded
When Curl passes a hostname to the SOCKS5 proxy, it should limit the length to 255 bytes. If it exceeds this limit, a bug may occur during a slow SOCKS5 handshake, leading to an overflow.
The Technical Insight
- The hostname originates from the assigned URL.
- The target buffer, typically 16KB in size, handles SOCKS negotiation.
The Threat Scenario
For an overflow to occur, a slow SOCKS5 handshake is required, along with a client introducing a hostname longer than the download buffer. Standard server latencies can naturally trigger this issue.
Key Triggers: SOCKS5 with Remote Hostname
- CURLOPT_PROXYTYPE set to CURLPROXY_SOCKS5_HOSTNAME
- CURLOPT_PROXY or CURLOPT_PRE_PROXY using the “socks5h://” scheme
- Relevant proxy environment variables configured.
The Bug’s Origin
This bug emerged during the transition of the SOCKS5 handshake code from blocking to non-blocking.
Severity Assessment: High
CVE-2023-38545 falls under CWE-122: Heap-based Buffer Overflow, with a “High” severity rating.
- Vulnerable: libcurl 7.69.0 to 8.3.0
- Secure: libcurl versions below 7.69.0 and from 8.4.0 onward
Upgrade to Curl version 8.4.0, where the bug has been addressed.
- Upgrade to Curl 8.4.0
- Apply the provided patch
- Exercise caution with CURLPROXY_SOCKS5_HOSTNAME proxies
- Avoid configuring proxy environment variables for “socks5h://”
The vulnerability was reported on September 30, 2023, with the release of libcurl 8.4.0 on October 11, 2023.