Heads Up: Patch for ‘Worst Curl Security Flaw’ Coming This Week
Developers who use the popular curl open-source data transfer tool will be able to patch two vulnerabilities in the software on October 11, one of which the lead developer called the “worst curl security flaw in a long time.”
Daniel Stenberg, who also is the original author of curl, earlier this month warned the industry of the two vulnerabilities in curl and libcurl via a post on X (formerly Twitter) and in an advisory on GitHub and set a date for the release of the latest version of curl, which will fix the bugs.
The maintainers of curl shortened the released cycle and moved up the release data for version 8.4.0 to address the flaws and reduce the amount of time for attackers to find and exploit them. There is no known exploitation of the vulnerabilities in the wild.
Stenberg wrote that that heads up was given to enable curl distributors time to prepare the patches and to give the maintainers the needed time to prepare for the pending release of the latest version of curl (with the patches) and spread the word about the release.
No details about the flaws – tracked as CVE-2023-38545, a high severity vulnerability affecting both curl and libcurl, and the low-severity CVE-2023-38546 that affects only libcurl – were released, and outside of some distributors, “no one else gets details about these problems before October 11 without a support contract and a good reason,” he wrote.
The high-severity flaw will be published immediately after the release of curl version 8.4.0, which addresses the vulnerabilities.
Stenberg also declined to disclose details about the versions of curl affected by the bugs for fear that disclosure would give bad actors the information they need to identify and exploit the problem. However, he wrote that the “last several years” of versions are impacted.
Curl is Seemingly Everywhere
Curl – or Client for URL – is a command-line interface (CLI) used to transfer data between servers using a number of network protocols. Libcurl is the development library that enables other programs to use curl. Both parts of the 25-year-old curl project are widely used, with estimates of up to 10 billion installations.
Curl is deployed with many Linux distributions as well as with Windows from Windows 10 forward, according to Scott Caveza and Satnam Narang, researchers with Tenable.
“Curl is a very well-known and widely used tool for transferring files using various protocols, first released in 1997,” Henrik Plate, security researcher at Endor Labs, told Security Boulevard in an email. “It is one of the two quasi-standard command line tools when it comes to transferring files in Unix-like terminals (the other one is called ‘wget’).”
Getting a Head Start
Developers should use the head start to determine where they’re using curl and libcurl and information about the versions and use cases, Plate wrote.
“This context information must clarify whether URLs fed into curl come from (untrusted) user-provided input,” he wrote. “Such cases will require special attention, because there may be an opportunity for attackers to provide URLs (that contain special characters, for example, or point to attacker-controlled domains), which could be needed to successfully craft an attack.”
Yotam Perkal, director of vulnerability research at Rezilion, wrote in a blog post that the “scenario presents an interesting challenge for security teams wanting to get a headstart on identifying affected assets. Since no vulnerability metadata has yet been published (specifically no CPE values), no vulnerability scanner will be able to detect it.”
The Need for SBOMs
It also highlights the importance of software bills of materials (SBOMs) that can be queried, Perkal wrote.
“If you have a queryable SBOM, you should utilize it to pinpoint all occurrences of curl & libcurl in your environment, so that once version 8.4.0 releases, you’ll be able to take immediate action,” he wrote.
Endor Lab’s Plate agreed, saying the vulnerabilities illustrate the need for organizations to keep meticulous track of all open source software they use, including application-level dependencies and in other layers of the software stack for both cloud and on-premises systems.
“Knowing about all the uses of curl and libcurl is the prerequisite for assessing the actual risk and taking remediation actions, be it patching curl, restricting access to affected systems from untrusted networks or implementing other countermeasures,” he wrote.
However, there are challenges.
“The curl command line tool can be installed in many different ways, e.g., through the yum and apt package managers used by various Linux distributions or, worse, simply by downloading the binaries from the curl Website,” Plate wrote. “Such downloads and subsequent executions are often scripted, i.e., part of Windows batch files or Unix shell scripts, which can make it difficult to find those uses.”
