What is curl, and which version is vulnerable

The security community and developer alike relies on curl command-line tool used for transferring data with URLs, is an indispensable asset for developers and cybersecurity professionals. Its versatility in supporting various protocols makes it a go-to tool for many. However, like a fortified castle with a hidden weak spot, libcurl and the software itself too has its vulnerabilities. Recently, two notable Common Vulnerabilities and Exposures (CVEs) were identified – CVE-2023-38545 and CVE-2023-38546. The latter, rated as high severity, affects both libcurl and the curl tool, marking a significant security concern. This blog aims to delve into these vulnerabilities and provide a guide on how to ensure your software version or library like libcurl is updated and secure. Please follow the step below and the verification to ensure your vulnerability management program and applications in your application security program are secure.

OCTOBER 11, 2023 DANIEL STENBERG 9 COMMENTS In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545. This problem is the worst security problem found in curl in a long time. We set it to severity HIGH. While the advisory contains all the necessary details. I figured I would use a few additional words and expand the explanations for anyone who cares to understand how this flaw works and how it happened. Background curl has supported SOCKS5 since August 2002. SOCKS5 is a proxy protocol. It is a rather simple protocol for setting up network communication via a dedicated “middle man”. The protocol is for example typically used when setting up communication to get done over Tor but also for accessing Internet from within organizations and companies.

How to update curl on macOS:

1. Homebrew Installation:
   • Install the latest version of cURL using Homebrew with the command: brew install curl
   • Override the system default cURL by updating the system path: echo 'export PATH="/opt/homebrew/opt/curl/bin:$PATH"' >> ~/.zshrc
   • Verify the update by opening a new terminal window and executing: curl --version

How to update curl on Windows:

1. Version Check:
   • Open the Command Prompt and enter curl --version to check the installed version.
   • Determine the installation type by running where curl.
2. Windows Update:
   • If using the pre-installed version, check for official updates from Microsoft to get the patched version of cURL.
3. Using Package Managers:
   • Install or update cURL using Winget: winget install curl.curl
   • Or using Chocolatey: choco install curl
4. Environment Variables:
   • Adjust the PATH environment variables to prioritize the newly installed version.

How to update curl on Linux:

1. APT (Debian, Ubuntu): sudo apt-get update sudo apt-get upgrade curl
2. Snap (Primarily Ubuntu): snap install curl
3. DNF (RHEL, Rocky, Fedora): sudo dnf check-update sudo dnf install curl
4. APK (Alpine): sudo apk update sudo apk add curl

Building cURL from Source:

For users comfortable with building from source, they can download the latest cURL source code and compile it. Here’s an example on an M1 Mac running MacOS Ventura:

Install Xcode command line tools.

Execute the build commands:
codeautoreconf -fi export ARCH=arm64 export SDK=macosx ... make -j8

Verify the build with ./src/.libs/curl --versio

Why this critical vulnerability was controversial

Its disclosure marked a significant moment, stirring discussions in the cybersecurity community. A GitHub discussion led by one of the software maintainer unveiled the upcoming release of the software version 8.4.0 on October 11, aimed at patching this security flaw alongside a low-severity vulnerability, CVE-2023-38546. Although details regarding the affected version range were withheld for security reasons, the announcement serves as a call to action for users to update their Curl version promptly.

In a recent twitter conversation, the curl team has warned teams for the October 11 release but without disclosing additional information on which version is likely to be vulnerable. This to discourage early attacks

Recently curl was in the spotlight due to the erroneous disclosure:  maintainers have been vocal about downplaying the risk associated with most vulnerabilities reported against curl  in the past (a recent example is the article CVE-2020-19909 is everything that is wrong with CVEs), nonetheless in this case he warned — adding, “buckle up.”

Detail of the curl vulnerability vulnerability CVE-2023-38545 and CVE-2023-38546

What is the exploitation data behind CVE-2023-38545 and CVE-2023-38546 In the wild

CVSS: 10->4.4

CTI interest: Low

RCE Type Remote: Unknown (potential local authentication)

Availability: No

Status: Undisclosed

EPSS Score: – not registered –

Currently, there are 2673 systems with some version of curl exposed, but considering curl is embedded in every window, mac, linux version and container used like Amazon the spread and surface could be quite vast

How Phoenix Security Can Help

Phoenix Security is a comprehensive security solutions like ASPM and vulnerability management that can cover vulnerabilities from code to the cloud are essential to accelerate vulnerability management and scaling. Phoenix Security is here to automatically ingest vulnerabilities from code to cloud and prioritize vulnerabilities at scale. Phoenix also communicates the timeframe for resolution for the government organizations that must comply with CISA and related regulations.

Phoenix Security serves as a beacon for security professionals aiming to pinpoint the CISA kev and ransomware-related exploits within their systems. It meticulously scans your product, identifying instances where the CISA kev vulnerability may be affected. By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Previous Issues of Vulnerability Weekly

• How to update curl and libcurl without panic fixing
• Critical Vulnerabilities in Atlassian Confluence: Zero-Day
• Detect & Mitigate HTTP/2: Rapid Reset Vulnerabilities
• Understanding the libcue Vulnerability CVE-2023
• Understanding and fixing Curl and libcurl
• CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) details on vulnerability timeline and compromise
• MOVEit Transfer breach, Zellis compromise CVE-2023-34362

• Vulnerability maturity model,
• How to start an application security program