On October 4, the curl team indicated that a high severity vulnerability would be published on October 11, starting the process of understanding exposure and looking for all instances of curl for many teams. We now understand that CVE-2023-38546 and CVE-2023-38545 involve the SOCKS5 protocol as well as how cookies are handled with single transfers. To start searching your environment for all running instances of curl in your clusters, skip to the end and request a trial of the searchable SBOM with KSOC.
Engineers and security teams often need to transfer data across to a remote server to share syntax, grab data, and interface with various parts of the IT ecosystem. In today’s world of microservices and APIs, where complex computations and applications are composed of various, modular pieces that communicate via remote requests, curl has emerged as a leading open source data transfer tool, available directly from your terminal via a command line interface (CLI). Curl can also be used to send deletion or update requests that modify an existing resource, and the Kubernetes API can be accessed directly with curl.
Curl requires a client side transfer library, libcurl, to support the various transport protocols (think HTTPS, SMTP, and FTP), as well as include cookies and add authentication credentials.
SOCKS5 proxy is the up to date SOCK proxy that makes TCP and UDP connections fast and better secured, using authentication at the operating system level as well as a kind of firewall. It is often used by VPN providers because it allows you to hide your IP address from online services, but it can also be used when you require larger bandwidth size or need to access restricted platforms in a secure way. A survey shows that around 67% of respondents are using proxies, and SOCKS5 was the second most common proxy used.
Curl would use libcurl to be able to transfer data through the SOCKS5 proxy.
Two curl vulnerabilities were announced on October 11, CVE-2023-38545 with high severity, involving the SOCKS5 proxy handshake, and CVE-2023-38546 with low severity, involving the handling of cookies.
In CVE-2023-38545, in the case of a slow SOCKS5 handshake with curl and a hostname (from the target url) longer than the download buffer in libcurl, an attacker could theoretically get the wrong hostname value inserted and cause a crash due to a heap-based buffer overflow. They could do this with a malicious server and a url created to trigger the event.
The fix for this issue involves returning an error message when the hostname is longer than the download buffer, versus switching to a local resolve mode with the bug that might allow the too long hostname to be used.
In CVE-2023-38546, an attacker could take advantage of a flaw in how the curl API handles single transfers, when cookies are enabled, to load cookies from its own file, if labeled none-. The issue is labeled low severity because the risk of a cookie injection is relatively low, and only affects libcurl, not curl.
For CVE-2023-38545, it is relatively unlikely that an overflow would occur, given that the default buffersize is 100kB, and this bug only appears if the rate limit has been set to smaller than 65541 bytes/second. That being said, curl and libcurl are used very broadly by many applications, and is one of those things that is not always obvious. Libcurl libraries can be linked dynamically or statically, and some images might even feature their own static copies, so it is important to root out where these are located.
The fix for both CVEs is included in version 8.4.0, and affected versions include libcurl 7.69.0 up to 8.3.0. Libcurl version 7.69.0 is unaffected. It is also not recommended to set a proxy environment variable to socks5h:// . Updating the shared libcurl library should be enough to fix the issue on all operating systems.
KSOC allows you to create and search an SBOM of all your running images for a specific package name. We will show all running packages . . . not just all packages in all registries. This can lower the overall amount of effort required, since you know what should be prioritized as a part of your actual, running environment.
Even if you don’t suspect that parts of your environment might be utilizing curl to access your Kubernetes API via SOCKS5, it is a good idea to see everywhere curl is in use in your clusters.
See this video for the searchable SBOM in action:
Schedule a free trial and search your SBOM for affected libcurl versions today!
Conclusion
Curl, and libcurl, by association, are widely used to transfer data from remote servers, straight from your terminal, including in Kubernetes where it can be used to access the Kubernetes API. Curl and libcurl work with many different protocols, including the SOCKS5 proxy, which is a favorite proxy with added security and authentication. The high severity curl CVE creates a potential crash due to a bug that makes room for a heap based buffer overflow. An update to libcurl version 8.4.0 will fix the issue. Due to the wide usage of curl and libcurl, the first step is to understand where in your environment you might have exposure. KSOC can help you find vulnerable versions of libcurl with a searchable SBOM of your running Kubernetes environment. Schedule your free trial today!