On October 11, 2023, a critical vulnerability was disclosed in cURL, a popular command-line tool and library for transferring data over various protocols. The issue, tagged as CVE-2023-38545, is a heap-based buffer overflow vulnerability that exists in the SOCKS5 proxy handshake process. The vulnerability affects versions of libcurl from 7.69.0 to 8.3.0. Its severity is marked as high, which means immediate action is required to mitigate the risk.
curl has supported SOCKS5 since 2002, and the issue primarily lies in the way curl deals with SOCKS5. The issue is rooted in a function that was converted into a non-blocking state machine back in February 2020. The vulnerability arises from how curl handles host names that are too long (>255 bytes) while setting up a SOCKS5 proxy. When curl encounters a long host name, it switches from proxy resolution to local resolution, a choice that it shouldn't make. This change in behavior isn't preserved across multiple invocations of the state machine, which results in inconsistency and can lead to the overflow. A malicious actor could exploit this by feeding a long host name into curl via an HTTP 30x redirect if curl is configured to follow redirects automatically. The immediate solution has been to prevent curl from switching from proxy to local resolution due to long host names and to return an error instead.
When cURL is instructed to pass the hostname to a SOCKS5 proxy for DNS resolution, the hostname length must not exceed 255 bytes. If the length is more than 255 bytes, cURL attempts to resolve the name locally. A bug in this logic, specifically affecting slow SOCKS5 handshakes, can cause cURL to pass an overly long hostname to the proxy, triggering a heap-based buffer overflow.
This overflow occurs in the heap-based download buffer in libcurl, which defaults to 16kB but can be resized via the
CURLOPT_BUFFERSIZE option. The flaw can be triggered if the client uses a hostname longer than this buffer size and if the SOCKS5 handshake is slow enough to trip the bug.
- libcurl versions 7.69.0 to 8.3.0
- curl tool that uses vulnerable versions of libcurl
- Systems using CURLPROXY_SOCKS5_HOSTNAME with the above versions
- Upgrade: The easiest and most secure fix is to upgrade to libcurl version 8.4.0 or higher where the bug has been fixed.
- Patch: For those who cannot immediately upgrade, a patch has been released.
- Configuration Changes: As a temporary measure, avoid using
CURLPROXY_SOCKS5_HOSTNAMEand do not set any proxy environment variable to
- Do not use
CURLPROXY_SOCKS5_HOSTNAMEproxies with curl.
- Do not set a proxy environment variable to
The issue was reported on September 30, 2023, and has been fixed in libcurl 8.4.0 released on October 11, 2023. Microsoft is expected to release a patch for affected Windows instances.