Here at TechFinitive, we don’t usually report on news that has yet to happen, but this cURL vulnerability is so serious that an exception is in order. For there is a problem with the 25-year-old cURL (Client URL) open-source tool that underpins protocols such as HTTP, FTP and SMTP. And that means almost every device connected to the internet will need to be patched tomorrow.
With billions of installations globally, the libcurl library component of curl is truly ubiquitous. If you have a device that connects to the internet, it’s likely using libcurl. Your operating system is most likely using it. Your servers, printers and game consoles probably rely on it too.
Daniel Stenberg, founder and lead developer of the cURL open-source project, has issued a warning that a “high severity security problem” with cURL will be announced on 11 October. This is, according to Stenberg, “probably the worst cURL security flaw in a long time,” and impacts the “last several years” of versions.
Two cURL vulnerabilities
The cURL project will actually disclose two vulnerabilities. CVE-2023-38546 only affects libcurl and carries a low severity rating. CVE-2023-38545, however, affects both libcurl and the cURL tool, and is rated high severity.
Stenberg says that, generally speaking, “everything that uses libcurl could theoretically use libcurl in a way that triggers this vulnerability”. However, he adds that other users may use libcurl in such a way that the vulnerability is not triggered.
The project decided not to go into any kind of detail until the patch is released to the public “as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time”, said Stenberg.
He recognises the “minuscule risk” that a bad actor might find the vulnerability before the CVEs are published at 6am UTC (7am in the UK, 2am in New York, 5pm in Sydney) but it has “stayed undetected for years for a reason,” according to Stenberg.
How the cURL vulnerabilities work
“The range of possible vulnerabilities can include buffer overflows, for example, which can lead to anything from application crashes to remote code execution (RCE), allowing attackers to run arbitrary code on affected systems,” said Henrik Plate, a security researcher at application security startup Endor Labs.
“Another possibility includes erroneous SSL/TLS certificate validation, which could allow attackers to spoof legitimate servers or run man-in-the-middle attacks.”
We won’t know more specific details until tomorrow, but software developers are advised to search for all uses of curl/libcurl and gather contextual information about versions used and what for, ahead of the patch being released.
“This context information must clarify whether URLs fed into curl come from (untrusted) user-provided input,” Plate said.
“Such cases will require special attention, because there may be an opportunity for attackers to provide URLs (that contain special characters, for example, or point to attacker-controlled domains), which could be needed to successfully craft an attack.”
How to mitigate the cURL vulnerability
Saeed Abbasi, from the Threat Research Unit at Qualys, has also published advice for organisations. He implores them to “urgently inventory and scan all systems utilising curl and libcurl” and says that immediate updating upon release of the patch “is essential to safeguard systems against these pressing vulnerabilities”.
Ian Thornton-Trump, CISO at Cyjax, also had this reassuring advice. “The good news is that mitigation may be possible by adjusting security permissions to prevent a malicious script which ‘calls’ curl and forces it to run the exploit code,” he said.
But don’t relax just yet. “If Linux services are running with root privileges and can access curl, this exploit could wreak havoc on a lot of systems,” Thornton-Trump added. “Threat actors and ransomware groups will be closely monitoring the disclosure tomorrow, and it will be a race against time to patch or mitigate.”
And what happens if you don’t mitigate against vulnerabilities? Simple: you open yourself up to ransomware attacks, as amply demonstrated by WannaCry ransomware.
Nathalie Parent, Chief People Officer at Shift Technology: “HR is the conscience of an organisation”
For more than 30 years, Nathalie Parent has led global HR teams, working primarily with software companies. Today she’s Chief People Officer at Shift Technology
Amazon introduces new storage class that makes it cheaper to store rarely used files
Robot carers are real, but caregiving has bigger problems, writes Richard Trenholm in this FlashForward edition