Open source curl tool addresses high-severity vulnerability
Curl is used extensively across the IT landscape
The team maintaining the open source curl library have alerted users to two security vulnerabilities, expected to be fixed in an upcoming version.
These vulnerabilities are identified as CVE-2023-38545 and CVE-2023-38546. The former is considered high-severity, affecting both libcurl and the curl tool, while the latter is of low severity, affecting only libcurl.
The pre-notification emphasised that the high-severity issue is arguably the worst curl flaw identified in a long time. However, the maintaining team hasn't released details of the bugs, to avoid threat actors identifying the problem areas.
Curl is a widely used command-line utility designed for transferring data using URL syntax. It supports an extensive array of protocols, including but not limited to FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS and WSS.
Developers and system administrators normally rely on curl to engage with APIs, retrieve files and create automated workflows for a variety of internet-related tasks.
libcurl is the powerhouse behind curl, functioning as a free client-side URL transfer library and supporting the same array of protocols.
Developers can use the library to enhance their applications with reliable data transfer capabilities, enabling seamless communication with servers for activities such as making HTTP requests, managing cookies and handling authentication.
The high-severity problem in curl/libcurl, CVE-2023-38545, warrants careful consideration, even though it may not impact all users.
"In general terms, everything that uses libcurl could theoretically use libcurl in a way that triggers this vulnerability, assuming that the conditions apply and that a vulnerable libcurl version is used," said Daniel Stenberg, the original author of curl, during a GitHub discussion.
He did, however, note that some or even many users could use libcurl without triggering the vulnerability.
In a blog post, Qualys pointed out that updating the shared libcurl library is the recommended universal solution across various operating systems.
"Yet, according to the maintainer, a sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate their libcurl copies," it added.
Qualys stated that once the vulnerability is disclosed on 11th October, each vendor will release backported patches for these vulnerabilities.
Ax Sharma, a security researcher at Sonatype, said there is a growing legitimate concern about the new curl vulnerabilities. However, he emphasised that it should not be likened to Log4j.
"Most usage of curl is as a command-line utility, distributed as an operating system package and used as a system level service provider or utility, which means normal OS updates should automatically take care of this. It's very different from Log4j, which is embedded as a dependency, many layers deep, with no direct update capability," he noted.
"That's not to downplay the fact that this is a bad vulnerability - it's classified HIGH in severity, similar to the OpenSSL vulnerability last year. The most likely attack surface people should watch for when it comes to vulnerabilities is docker base images that aren't receiving updates and which happen to have an application that leverages the vulnerable libcurl."
Given the imminent release of curl 8.4.0 and its goal to address critical security vulnerabilities, organisations should take prompt action to inventory, scan and update all systems that use curl and libcurl.
"In particular, the gravity of the high-severity vulnerability mandates immediate and cautious attention to safeguarding interconnected and web-aware applications, ensuring the rich data transfer functionality curl and libcurl provide remain unimpaired and secure," Qualys said.