curl Bug in SOCKS5 Proxy Handshake Can Lead to Insecure Resolution
CVE-2023-38545

9.8CRITICAL

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
18 October 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 18%

What is CVE-2023-38545?

A heap-based buffer overflow vulnerability exists in curl during the SOCKS5 proxy handshake. When curl attempts to resolve hostnames via a SOCKS5 proxy, it enforces a maximum hostname length of 255 bytes. If a hostname exceeds this limit, curl is designed to switch to local name resolution, passing only the resolved address to the target buffer. However, due to a flaw, during a slow SOCKS5 handshake, this transition can be mishandled. As a result, an overly long hostname can inadvertently be copied into a heap-based target buffer instead of the correct resolved address. This mismanagement can lead to serious security implications, as it may be possible for attackers to exploit heap corruption, thus compromising the integrity and confidentiality of the curl process.

Affected Version(s)

curl 8.4.0

curl 7.69.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-38545
Created by d0rb

CVE-2023-38545
Created by UTsweetyfish

CVE-2023-38545
Created by imfht

References

https://curl.se/docs/CVE-2023-38545.html
https://security.netapp.com/advisory/ntap-20231027-0009/
https://lists.fedoraproject.org/archives/list/package-ann...

EPSS Score

18% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability Reserved

.