curl – SOCKS5 heap buffer overflow – CVE-2023-38545

The Challenge: CVE-2023-38545

In the world of digital security, a formidable adversary has emerged – CVE-2023-38545. It exposes a critical heap buffer overflow in Curl’s SOCKS5 proxy handshake, demanding immediate action.

The Dilemma: How It Unfolded

When Curl passes a hostname to the SOCKS5 proxy, it should limit the length to 255 bytes. If it exceeds this limit, a bug may occur during a slow SOCKS5 handshake, leading to an overflow.

The Technical Insight

• The hostname originates from the assigned URL.
• The target buffer, typically 16KB in size, handles SOCKS negotiation.

The Threat Scenario

For an overflow to occur, a slow SOCKS5 handshake is required, along with a client introducing a hostname longer than the download buffer. Standard server latencies can naturally trigger this issue.

Key Triggers: SOCKS5 with Remote Hostname

• CURLOPT_PROXYTYPE set to CURLPROXY_SOCKS5_HOSTNAME
• CURLOPT_PROXY or CURLOPT_PRE_PROXY using the “socks5h://” scheme
• Relevant proxy environment variables configured.

The Bug’s Origin

This bug emerged during the transition of the SOCKS5 handshake code from blocking to non-blocking.

Severity Assessment: High

CVE-2023-38545 falls under CWE-122: Heap-based Buffer Overflow, with a “High” severity rating.

Affected Versions

• Vulnerable: libcurl 7.69.0 to 8.3.0
• Secure: libcurl versions below 7.69.0 and from 8.4.0 onward

The Solution

Upgrade to Curl version 8.4.0, where the bug has been addressed.

Protection Measures

• Upgrade to Curl 8.4.0
• Apply the provided patch
• Exercise caution with CURLPROXY_SOCKS5_HOSTNAME proxies
• Avoid configuring proxy environment variables for “socks5h://”

Timeline

The vulnerability was reported on September 30, 2023, with the release of libcurl 8.4.0 on October 11, 2023.