This time the curl vulnerability there is and it really exists. This is confirmed by the creator of the well-known utility, Daniel Stenbergwhich in a note appeared on GitHub explains the nature of the problem.
Stenberg writes that on October 11th, the curl development team has scheduled the release of the version 8.4.0. It’s about a release that other software houses would call out-of-band: the severity of security issues that emerged has in fact prompted the emergency distribution, in a very short time, of a corrective update.
The author of curl notes that there are two vulnerabilities identified: the first is one of most severe ever encountered in the program for years and years now.
Why curl vulnerabilities are so serious
Let’s start by saying that curl is a utility that knows no boundaries. Born way back in 1998, curl facilitates file transfer in any context. In another article we highlighted the differences between curl and wget, explaining that the former is a much more complete and versatile software, which supports dozens of protocols different, theupload of files, proxies, authentication, sending data with various methods (POST, PUT,…) and a wide range of advanced features.
It is estimated that curl is used in total approximately 20 billion installations globally. In addition to the command line utility, in fact, many software and hardware products integrate the libcurl library. This is a component that provides file transfer functionality via URL. Written in C, it offers a programming interface (API) to perform data transfer operations via various protocols.
The main features of libcurl include cookie management, support for HTTP/2 and HTTP/3, for secure connections via SSL/TLS, the ability to use proxies and more. Furthermore, the library is designed to be port e multi platform.
Since libcurl is a low-level library, it is often integrated into higher-level applications to provide functionality data transfer. Many programming languages provide tools forintegration directly from projects with the libcurl library, allowing developers to easily use it in their applications.
It is clear what the crux of the problem is: since the most dangerous vulnerability affects both the curl utility and the libcurl library, it is essential that all distributions, all projects that integrate it, all hardware and software products, all users pass to the latest 8.4.0 release. How many devices in the world Internet of Things (IoT) use curl? An infinity.
What are the vulnerabilities discovered in curl
Stenberg had recently challenged the classification of vulnerabilities in the NVD database. This time, however, he himself is preparing the interested parties for the problem that could arise starting from October 11th.
Vulnerability CVE-2023-38545 it is in fact classified as extremely critical and, as mentioned, affects both the curl and libcurl tools. The second security problem, CVE-2023-38546however, is of much less concern and only concerns libcurl.
At the moment there is maximum confidentiality on the nature of the two problems because, it seems, the first could have a truly significant impact on the security of a very large number of hardware and software products. Only the managers of some communities, for example the managers of Linux distributionsto date they know the details about the vulnerabilities that have just come to light in curl.
In the next few days we will understand how the most serious curl vulnerability can actually be exploited by cybercriminals to conduct ranged attacks that lead, for example, to the execution of arbitrary code. The worst case could be an exploitable security issue when connecting curl to a remote server.
