Mastodawn

Privilege escalation: It's not yet clear how hard it might be to chain other vulnerabilities to deliberately invoke curl or libcurl with SOCKS5 enabled.

Official general release video:
https://youtu.be/-j-_nKmq2aE

PoC with good commentary (@harrysintonen):
https://infosec.exchange/@harrysintonen/111214844467791428
Also from Harry: analysis of why it evaded static analysis tools:
https://infosec.exchange/@harrysintonen/111215792389706345

Plausible exploitation scenario: using Tor (which uses SOCKS5 natively) [6]

Check package update status across many distros:
https://repology.org/project/curl/versions

The discover is Jay Satiro. Maybe only a coincidence, but like many pioneers of the security industry, if this is the same Jay Satiro, he may have had a young hacker past:
https://www.deseret.com/1999/12/26/19482388/hacker-gets-year-in-jail-no-computer

John Hammond describes using this simple Python SOCKS proxy as an easy way to tinker:

https://github.com/MisterDaneel/pysoxy

Useful coverage:

https://www.helpnetsecurity.com/2023/10/11/cve-2023-38545-socks5/

Section 2: Pre-announcement leak

A leaked CentOS Stream patch for CVE-2023-38545 [1]:

https://gitlab.com/redhat/centos-stream/rpms/curl/-/commit/0783247f07250043dceb74e426f16f9d46147163#57c8706b6a9132202629833e05fd961bfcc66836

... says:

"[PATCH] socks: return error if hostname too long for remote resolve

Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."

John Hammond tweet thread about the CentOS SOCKS patch:
https://twitter.com/_JohnHammond/status/1711913166165463220 [3]

MalwareJake SOCKS speculation:
https://twitter.com/MalwareJake/status/1711922431068090721

Section 3: Pre-announcement

Stenberg's summary post:

https://github.com/curl/curl/discussions/12026

... has these summaries:

CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
Announce page:
https://curl.se/docs/CVE-2023-38545.html
Official blog post:
https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
oss-security post:
https://www.openwall.com/lists/oss-security/2023/10/11/1

CVE-2023-38546: severity LOW (affects libcurl only, not the tool)
Announce page:
https://curl.se/docs/CVE-2023-38546.html
Affected versions: libcurl 7.9.1 (November 2001) up to and including 8.3.0

For CVE-2023-38545, "HIGH" was chosen deliberately. Quoting Stenberg: [2]
'Remember: it is "just" a HIGH severity flaw, not a the-sky-is-falling severity flaw.'

One of the vulns is over 8000 days old [4] (confirmed - see above)

Appendix

Spotted by https://infosec.exchange/@Emily/111213538763832668

"Just HIGH": https://mastodon.social/@bagder/111212947177464680

https://twitter.com/_JohnHammond/status/1711913166165463220Spotted by https://mstdn.social/@msw/111214091396882736

https://mastodon.social/@bagder/111167662713737288

https://mastodon.social/@bagder/111214995699589027

Non-trivially updated:
Wed Oct 11 15:45:40 UTC 2023

#CVE_2023_38545
#CVE202338545

#CVE_2023_38546
#CVE202338546

curl - SOCKS5 heap buffer overflow - CVE-2023-38545

[^BgTA^]

Oct 10, 2023

Important forat de seguretat trobat a #curl #CVE202338546

https://github.com/curl/curl/discussions/12026

Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...

GitHub

vally Oct 9, 2023

Can anyone add some sanity to the discussion around cURL CVE's (CVE-2023-38545 and CVE-2023-38546) being published soon.

I've hit my quota for statements like "this WILL impact MILLIONS of devices in our org" and "we will literally need a new vulnerability severity tier to address this"

#curl #CVE202338545 #CVE202338546 #vulnerability