A severe memory corruption vulnerability in cURL, identified as CVE-2023-38545, has been addressed by the maintainers of the cURL data transfer project, posing a significant risk to enterprise operating systems, applications, and devices. This flaw directly affects the SOCKS5 proxy handshake process and can be exploited remotely in non-standard configurations.
Furthermore, when certain conditions are met, a heap buffer overflow can occur, making it possible for attackers to execute malicious code through crafted redirects. The bug was introduced during cURL’s SOCKS5 support work in February 2020 and is described as “the worst security problem found in [libcurl] in a long time” by Daniel Stenberg, the project’s maintainer.
Additionally, the vulnerability is present in libcurl versions 7.69.0 to 8.3.0, and it has been addressed in cURL 8.4.0. cURL, which provides both a library and a command-line tool for data transfer, supports various network protocols, making it a crucial component in data exchange between devices and servers. Organizations are urged to inventory and scan systems using curl and libcurl and apply the patches in cURL 8.4.0 to mitigate the risk.
At the same time, all projects relying on libcurl could be potentially impacted, and the advisory warns that even some software that uses it in a specific way might remain exploitable. The existence of this vulnerability underscores the importance of timely updates and security best practices to safeguard enterprise systems and data from malicious threats.
