13/10/2023 | Prepared by: Joel D'Souza, Vulnerability Security Analyst
Purpose
The purpose of this alert is to address the recently disclosed HIGH risk vulnerability present in the curl tool and the libcurl library. As the use of this library is extremely common in major operating systems, the Triskele Labs team advises that all organisations should check for the presence of this library in their assets and Virtual Machine Images (VMIs) and follow the remediation steps outlined in the subsequent sections.
The lead developer of curl, Daniel Stenberg, has described this vulnerability as "probably the worst curl security flaw in a long time".
Details
On September 30th, 2023, Jay Satiro submitted the vulnerability disclosure to curl through the HackerOne platform. This vulnerability was confirmed by the creators of curl on October 4th when they issued a notification describing a High-risk vulnerability known as CVE-2023-38545 present in the curl application and the libcurl library.
Installations of widely used operating systems utilise this library on the back end, while developers use the tool for API interaction, and automation.
CVE-2023-38545 impacts libcurl versions 7.69.0 to and including 8.3.0.
Under certain conditions this bug may result in a Remote Code Execution (RCE) vulnerability.
While Proof-of-Concept (POC) Code has yet to be released, the widespread usage of these libraries across operating systems significantly increases the probability of weaponisation and active exploitation in the coming months.
This bulletin will be updated when the Triskele Labs CTI team has found an active Proof-of-Concept (POC) or evidence of exploitation.
Detection Capabilities
Organisations can check for vulnerable versions of this library by running the following commands on their assets, checking for hashes present in software inventories provided by Cybersecurity company Intruder.io:
Linux / MacOS
find / -name curl 2>/dev/null -exec echo "Found: {}" \; -exec {} --version \;
Windows
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Filter curl.exe | ForEach-Object { Write-Host "Found: $($_.FullName)"; & $_.FullName --version }
Detection of exploitation can be performed by monitoring the environment for significantly large strings in curl as implemented with the following steps listed by Cybersecurity company Intruder.io.
The following flags should be targeted for this assessment:
- --socks5-hostname, or
- --proxy, or
- --preproxy set to use the scheme socks5h://
The following options for libcurl are affected (environment variables):
- CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME, or
- CURLOPT_PROXY, or
- CURLOPT_PRE_PROXY set to use the scheme socks5h://
One of the proxy environment variables can be set to use the socks5h:// scheme. For example, http_proxy, HTTPS_PROXY or ALL_PRO.
Mitigation Actions
If you are utilising libcurl versions 7.69.0 to and including 8.3.0, Triskele Labs recommends reviewing logs for impacted applications with unusual activity.
Triskele Labs recommends upgrading to curl version 8.4.0 immediately to ensure permanent mitigation. The patches are currently available for most widely used Linux distributions.
Priority patching should be conducted in cases where curl is used in proxy-resolver mode through a SOCKS5 proxy.
Triskele Labs DefenceShield customers with Assess (our Vulnerability Scanning service) are being assessed currently. All customers with our Monitor (our 24x7x365 SIEM) are - as always - being monitored for IOCs and Lateral Movement.
References
References used for the generation of this release:
- https://curl.se/docs/CVE-2023-38545.html
- https://hackerone.com/reports/2187833
- https://www.intruder.io/blog/curl-high-rated-cve-2023-38545
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/05/curl-8-4-0-proactively-identifying-potential-vulnerable-assets
