CVE-2023-38545

curl: heap based buffer overflow in the SOCKS5 proxy handshake

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy
handshake.

When curl is asked to pass along the host name to the SOCKS5 proxy to allow
that to resolve the address instead of it getting done by curl itself, the
maximum length that host name can be is 255 bytes.

If the host name is detected to be longer, curl switches to local name
resolving and instead passes on the resolved address only. Due to this bug,
the local variable that means "let the host resolve the name" could get the
wrong value during a slow SOCKS5 handshake, and contrary to the intention,
copy the too long host name to the target buffer instead of copying just the
resolved address there.

The target buffer being a heap based buffer, and the host name coming from the
URL that curl has been told to operate with.

Esta falla hace que curl desborde un búfer basado en el protocolo de enlace del proxy SOCKS5. Cuando se le pide a curl que pase el nombre de host al proxy SOCKS5 para permitir que resuelva la dirección en lugar de que lo haga curl mismo, la longitud máxima que puede tener el nombre de host es 255 bytes. Si se detecta que el nombre de host es más largo, curl cambia a la resolución de nombres local y en su lugar pasa solo la dirección resuelta. Debido a este error, la variable local que significa "dejar que el host resuelva el nombre" podría obtener el valor incorrecto durante un protocolo de enlace SOCKS5 lento y, contrariamente a la intención, copiar el nombre del host demasiado largo al búfer de destino en lugar de copiar solo la dirección resuelta allí. El búfer de destino es un búfer basado en montón y el nombre de host proviene de la URL con la que se le ha dicho a curl que opere.

A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-07-20 CVE Reserved
2023-10-11 CVE Published
2023-10-11 First Exploit
2024-08-02 CVE Updated
2024-09-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-787: Out-of-bounds Write

CAPEC

References (23)

URL	Tag	Source
http://seclists.org/fulldisclosure/2024/Jan/34	Mailing List
http://seclists.org/fulldisclosure/2024/Jan/37	Mailing List
http://seclists.org/fulldisclosure/2024/Jan/38	Mailing List
https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ	Mailing List
https://security.netapp.com/advisory/ntap-20231027-0009	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240201-0005	Third Party Advisory
https://support.apple.com/kb/HT214036	Third Party Advisory
https://support.apple.com/kb/HT214057	Third Party Advisory
https://support.apple.com/kb/HT214058	Third Party Advisory
https://support.apple.com/kb/HT214063	Third Party Advisory

URL	Date	SRC
https://github.com/d0rb/CVE-2023-38545	2024-03-13
https://github.com/vanigori/CVE-2023-38545-sample	2023-10-13
https://github.com/UTsweetyfish/CVE-2023-38545	2023-10-11
https://github.com/fatmo666/CVE-2023-38545-libcurl-SOCKS5-heap-buffer-overflow	2023-10-15
https://github.com/imfht/CVE-2023-38545	2023-10-12
https://github.com/bcdannyboy/CVE-2023-38545	2023-10-16
https://github.com/dbrugman/CVE-2023-38545-POC	2023-10-16
https://github.com/Yang-Shun-Yu/CVE-2023-38545	2024-03-19

URL	Date	SRC
https://curl.se/docs/CVE-2023-38545.html	2024-07-09
https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability	2024-07-09

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-38545	2024-04-23
https://bugzilla.redhat.com/show_bug.cgi?id=2241933	2024-04-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Haxx Search vendor "Haxx"		Libcurl Search vendor "Haxx" for product "Libcurl"				>= 7.69.0 < 8.4.0 Search vendor "Haxx" for product "Libcurl" and version " >= 7.69.0 < 8.4.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected
Netapp Search vendor "Netapp"		Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 1809 Search vendor "Microsoft" for product "Windows 10 1809"				< 10.0.17763.5122 Search vendor "Microsoft" for product "Windows 10 1809" and version " < 10.0.17763.5122"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 21h2 Search vendor "Microsoft" for product "Windows 10 21h2"				< 10.0.19044.3693 Search vendor "Microsoft" for product "Windows 10 21h2" and version " < 10.0.19044.3693"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 22h2 Search vendor "Microsoft" for product "Windows 10 22h2"				< 10.0.19045.3693 Search vendor "Microsoft" for product "Windows 10 22h2" and version " < 10.0.19045.3693"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 11 21h2 Search vendor "Microsoft" for product "Windows 11 21h2"				< 10.0.22000.2600 Search vendor "Microsoft" for product "Windows 11 21h2" and version " < 10.0.22000.2600"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 11 22h2 Search vendor "Microsoft" for product "Windows 11 22h2"				< 10.0.22621.2715 Search vendor "Microsoft" for product "Windows 11 22h2" and version " < 10.0.22621.2715"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 11 23h2 Search vendor "Microsoft" for product "Windows 11 23h2"				< 10.0.22631.2715 Search vendor "Microsoft" for product "Windows 11 23h2" and version " < 10.0.22631.2715"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"				< 10.0.17763.5122 Search vendor "Microsoft" for product "Windows Server 2019" and version " < 10.0.17763.5122"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2022 Search vendor "Microsoft" for product "Windows Server 2022"				< 10.0.20348.2113 Search vendor "Microsoft" for product "Windows Server 2022" and version " < 10.0.20348.2113"		-		Affected