CVE-2023-38545
curl: heap based buffer overflow in the SOCKS5 proxy handshake
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
8Exploited in Wild
-Decision
Descriptions
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy
handshake.
When curl is asked to pass along the host name to the SOCKS5 proxy to allow
that to resolve the address instead of it getting done by curl itself, the
maximum length that host name can be is 255 bytes.
If the host name is detected to be longer, curl switches to local name
resolving and instead passes on the resolved address only. Due to this bug,
the local variable that means "let the host resolve the name" could get the
wrong value during a slow SOCKS5 handshake, and contrary to the intention,
copy the too long host name to the target buffer instead of copying just the
resolved address there.
The target buffer being a heap based buffer, and the host name coming from the
URL that curl has been told to operate with.
Esta falla hace que curl desborde un búfer basado en el protocolo de enlace del proxy SOCKS5. Cuando se le pide a curl que pase el nombre de host al proxy SOCKS5 para permitir que resuelva la dirección en lugar de que lo haga curl mismo, la longitud máxima que puede tener el nombre de host es 255 bytes. Si se detecta que el nombre de host es más largo, curl cambia a la resolución de nombres local y en su lugar pasa solo la dirección resuelta. Debido a este error, la variable local que significa "dejar que el host resuelva el nombre" podría obtener el valor incorrecto durante un protocolo de enlace SOCKS5 lento y, contrariamente a la intención, copiar el nombre del host demasiado largo al búfer de destino en lugar de copiar solo la dirección resuelta allí. El búfer de destino es un búfer basado en montón y el nombre de host proviene de la URL con la que se le ha dicho a curl que opere.
A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-07-20 CVE Reserved
- 2023-10-11 CVE Published
- 2023-10-11 First Exploit
- 2024-10-17 CVE Updated
- 2024-11-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-787: Out-of-bounds Write
CAPEC
References (23)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2024/Jan/34 | Mailing List |
|
| http://seclists.org/fulldisclosure/2024/Jan/37 | Mailing List |
|
| http://seclists.org/fulldisclosure/2024/Jan/38 | Mailing List |
|
| https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868 | ||
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20231027-0009 | Third Party Advisory |
|
| https://security.netapp.com/advisory/ntap-20240201-0005 | Third Party Advisory |
|
| https://support.apple.com/kb/HT214036 | Third Party Advisory |
|
| https://support.apple.com/kb/HT214057 | Third Party Advisory |
|
| https://support.apple.com/kb/HT214058 | Third Party Advisory |
|
| https://support.apple.com/kb/HT214063 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/d0rb/CVE-2023-38545 | 2024-03-13 | |
| https://github.com/vanigori/CVE-2023-38545-sample | 2023-10-13 | |
| https://github.com/UTsweetyfish/CVE-2023-38545 | 2023-10-11 | |
| https://github.com/fatmo666/CVE-2023-38545-libcurl-SOCKS5-heap-buffer-overflow | 2023-10-15 | |
| https://github.com/imfht/CVE-2023-38545 | 2023-10-12 | |
| https://github.com/bcdannyboy/CVE-2023-38545 | 2023-10-16 | |
| https://github.com/dbrugman/CVE-2023-38545-POC | 2023-10-16 | |
| https://github.com/Yang-Shun-Yu/CVE-2023-38545 | 2024-03-19 |
| URL | Date | SRC |
|---|---|---|
| https://curl.se/docs/CVE-2023-38545.html | 2024-07-09 | |
| https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability | 2024-07-09 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-38545 | 2024-04-23 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2241933 | 2024-04-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | >= 7.69.0 < 8.4.0 Search vendor "Haxx" for product "Libcurl" and version " >= 7.69.0 < 8.4.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | windows |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows 10 1809 Search vendor "Microsoft" for product "Windows 10 1809" | < 10.0.17763.5122 Search vendor "Microsoft" for product "Windows 10 1809" and version " < 10.0.17763.5122" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows 10 21h2 Search vendor "Microsoft" for product "Windows 10 21h2" | < 10.0.19044.3693 Search vendor "Microsoft" for product "Windows 10 21h2" and version " < 10.0.19044.3693" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows 10 22h2 Search vendor "Microsoft" for product "Windows 10 22h2" | < 10.0.19045.3693 Search vendor "Microsoft" for product "Windows 10 22h2" and version " < 10.0.19045.3693" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows 11 21h2 Search vendor "Microsoft" for product "Windows 11 21h2" | < 10.0.22000.2600 Search vendor "Microsoft" for product "Windows 11 21h2" and version " < 10.0.22000.2600" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows 11 22h2 Search vendor "Microsoft" for product "Windows 11 22h2" | < 10.0.22621.2715 Search vendor "Microsoft" for product "Windows 11 22h2" and version " < 10.0.22621.2715" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows 11 23h2 Search vendor "Microsoft" for product "Windows 11 23h2" | < 10.0.22631.2715 Search vendor "Microsoft" for product "Windows 11 23h2" and version " < 10.0.22631.2715" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019" | < 10.0.17763.5122 Search vendor "Microsoft" for product "Windows Server 2019" and version " < 10.0.17763.5122" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Windows Server 2022 Search vendor "Microsoft" for product "Windows Server 2022" | < 10.0.20348.2113 Search vendor "Microsoft" for product "Windows Server 2022" and version " < 10.0.20348.2113" | - |
Affected
| ||||||