Curl/libcurl HIGH CVE-2023-38545 leaked early?
gitlab.comcURL's own tracker had a banner stating severity High to be released October 11.
It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.
EDIT: Why the downvotes? People don't like timezones or something?
> The new version and details about the two CVEs will be published around 06:00 UTC on the release day.
https://github.com/curl/curl/discussions/12026 (2023-10-04T06:17:44Z)
That has to do with curl itself, redhat isn't necessarily bound to that schedule and we don't know the discussion that happened privately prior to disclosure date.
That kind of approach leads to the party which broke ranks this time, not being included in confidential things in future.
Along the lines of "they've proven they can't be trusted", kind of thing.
I don't agree they broke ranks. The 6am date was for the curl project itself.
Probably depends on whether Red Hat was party to privileged info as part of a co-ordinated release for this. Personally, I have no idea.
I'd be surprised if not, but even then, it's not clear if the time was a requirement set by the cURL team at all for projects that aren't cURL.
RedHat is one of the subscribers of the mailing list where the CVE details were sent under embargo, so yes, they were bound to that and broke the embargo 13 hours earlier than the lift date.
The patch was supposed to be published around 06:00 UTC on October 11. The commit is 13 hours early.
Perhaps, but to be honest trying to coordinate times on a specific disclosure day is futile. I would imagine Daniel is aware of this phenomenon.
> When there is a HIGH CVE security flaw, why then not release immediately after fix has been applied, but at a set date?
It's a valid question.
That has been answered several hundred times before, by Daniel himself in the original advisory.
Usually ubiquitous projects like this will privately distribute patches to large distros or corps so they can push security updates or at least prepare to push them on the disclosure date so that risk of exploit is lower by the date of disclosure. Otherwise there would be a lag and people would be more exposed for a period after disclosure.
The CVE page on curl.se is also online as of now: https://curl.se/docs/CVE-2023-38545.html
"[PATCH] socks: return error if hostname too long for remote resolve
Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."
Will people stop messing with unsafe buffers in C already? Even just using C++ with the most basic buffer/dynamic array template would have prevented this issue.
While I agree with the general thrust of your comment, note that a) this is specifically adressed in Daniel's blog post b) He stated the reason why it's not happening right now multiple times already, and they seem well thought out. (Basically, the code base is huge and not easily converted, and there is no compiler support for some of the platforms libcurl supports).
Engineering is based on trade offs. In this specific case, the answer is no, unfortunately. This does of course not absolve new or smaller projects of this critique, but let's give curl a pass on this one.
Yeah, it was more of a general "old man yells at cloud" comment not aimed at anything in particular. It's just frustrating that we shouldn't have 99% of these vulnerabilities. Don't even have to go all the way with the borrow checking and rust, just basic bounds checks on all containers through templates would be a massive improvement over using C. Yes, the performance will degrade by some single digit %, but nobody cares.
> and there is no compiler support for some of the platforms libcurl supports
I feel like there are no serious platforms that don't have at least a C++ compiler for it. Or am I wrong there?
In that case, lets yell at clouds together. And somehow rust made me forget about C++. Or ADA. Or even godforsaken COBOL(and now you have permission to yell at me).
While this is a double screw up, I really like how the patch corrected the original issue but also removed this complex and unlikely path.
The drama and suspense around this has been crazy lol. It's pretty bad but they hyped it up like it was the next log4j.
Wat.
So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked by your own proxy? Which rules out things like torsocks where you're running the proxy too.
Does this really merit all of last week's antics?
I don't totally think so? A malicious HTTPS server can redirect you to a fake URL with shell code in it. So it's applicable to everyone using SOCKSv5 proxies, and the attacker is not "your own proxy".
You need to have a proxy running and configured to get to this codepath but the actual payload comes from a malicious URL/https server https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-ove...
There are tons of shady open or semi-open proxies out there.
There's also PAC/WPAD (https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Proto...). Together with some DHCP/ARP/DNS spoofing this might allow escalating from layer 2 connectivity (e.g. on a public wifi) to local root.
Seems like you'd need to set the Socks5 options manually to (lib?)curl which means parsing that PAC/WPAD file manually in your application and configuring curl based on its outcome? How many applications actually do this?
If you've got the ability to spoof DHCP/ARP in a corporate network, you really don't need this subpar vulnerability to do damage. That's a massive pile of big ifs for the impact - - a socks5 connection alone would instantly trigger a SOC investigation.
Edit: To answer your response, @Ao7bei3s, all great and well theoretically.. I am looking forward to being wrong, and I am eager to see what you can come up with to root or exfiltrate my MacOS with this.
I disagree on so many points.
* Buffer overflows tend to lead to remote code execution which is the most serious outcome and should always be treated as serious by default.
* libcurl is absolutely everywhere, not only in corporate networks.
* There is no such things as a trustworthy network; corporations are moving away from that model as it just doesn't work (zero trust). I can think of plenty of ways a motivated attacker might get L2 access to a corporate network if they aren't too picky about what they get access to, when and how long.
* Users can connect work devices to non-corporate networks. The generic example used to be coffee shops, now there's WFH.
* Non-corporate users matter too.
* Horizontal privilege escalation. Chaining multiple exploits into a successful attack is table stakes for modern attackers.
* It was only an example. There is a long history of people (especially those employed by companies with vulnerable products, though that's not the case here) being dismissive about exploitability and wrong about it.
If you want to critique my comment, point out that libcurl didn't actually merge libproxy which would've brought WPAD support... but my real point is that one should not dismiss a buffer overflow in libcurl.