High severity vulnerability found in libcurl and curl (CVE-2023-38545)

Today, at 06:00 UTC, the maintainers of cURL released the 8.4.0 versions of curl and libcurl to mitigate a High severity, heap-based buffer overflow (proof-of-concept and the initial notification) that could impact systems with a specific configuration and preconditions.

今天，世界标准时间 06:00，cURL 的维护者发布了 curl 和 libcurl 的 8.4.0 版本，以缓解高严重性、基于堆的缓冲区溢出（证明-概念和初始通知）可能会影响具有特定配置和先决条件的系统。

This zero-day vulnerability is present in packages from several managed and unmanaged open source ecosystems, including (but not limited to) C/C++, cargo, cocoapods, npm, NuGet, pip, and pub, as well as various Linux distributions such as Alpine, Debian, RHEL, and others.

此零日漏洞存在于多个托管和非托管开源生态系统的软件包中，包括（但不限于）C/C++、cargo、cocoapods、npm、NuGet、pip 和 pub，以及各种 Linux 发行版，例如Alpine、Debian、RHEL 等。

This is the first high-severity vulnerability found in curl in several years (the last one was in early 2021).

这是多年来在 curl 中发现的第一个高严重性漏洞（上一次是在 2021 年初）。

Screenshot from the cURL vulnerability tablecURL

漏洞表截图

The impacted curl/libcurl versions (since March 2020) are as follows:

受影响的 curl / libcurl 版本（自 2020 年 3 月起）如下：

• Affected versions: libcurl 7.69.0 to and including 8.3.0
• 受影响的版本：libcurl 7.69.0 至 8.3.0（含）
• Not affected versions: libcurl < 7.69.0 and >= 8.4.0
• 不受影响的版本：libcurl < 7.69.0 和 >= 8.4.0

The exploit complexity is considered high and can only be triggered in certain scenarios. As explained in the maintainer's post, How I made a heap overflow in curl, the vulnerability requires the vulnerable library to either be contacting an uncontrolled/compromised server (to be exploited via a HTTP redirect), or using an attacker-controlled URL via SOCKS5 proxy with hostname resolution enabled to trigger the vulnerable condition — and even then it's a limited charset heap overflow. Heap overflows in modern systems are extremely difficult to turn into an arbitrary code execution (ACE); hence the high-complexity exploit.

漏洞利用复杂度被视为 high ，并且只能在某些情况下触发。正如维护者的文章《我如何在curl中进行堆溢出》中所解释的，该漏洞要求易受攻击的库要么联系不受控制/受损的服务器（通过HTTP重定向来利用），要么通过SOCKS5使用攻击者控制的URL启用主机名解析的代理会触发易受攻击的情况 - 即使这样，它也是有限的字符集堆溢出。现代系统中的堆溢出极难转化为任意代码执行（ACE）；因此，漏洞利用的复杂性很高。

Now that the vulnerability is published and tracked, you can use Snyk's reporting feature to find impacted projects by selecting your org and then choosing Reports in the sidebar. Select +Add Filter under issue details, select CVE, then enter the CVE number: CVE-2023-38545

现在漏洞已发布并被跟踪，您可以使用 Snyk 的报告功能来查找受影响的项目，方法是选择您的组织，然后在侧栏中选择“报告”。在问题详细信息下选择“+添加过滤器”，选择 CVE，然后输入 CVE 编号：CVE-2023-38545

Filter your view down to CVE-2023-38545

将您的视图过滤至 CVE-2023-38545

This blog will be updated with any new information as it comes up. We'll release a summary blog and any required follow-up steps after the fixed version is available.

该博客将在出现任何新信息时进行更新。在修复版本可用后，我们将发布摘要博客以及任何所需的后续步骤。

Update: October 4, 2023

更新：2023 年 10 月 4 日

On October 3, 2023, Daniel Stenberg, the long-time curl maintainer and original author, published a note on both LinkedIn and X (formerly Twitter) regarding the shipping of curl version 8.4.0, which will contain a fix for "probably the worst security problem found in curl in a long time." This issue should be taken seriously as curl maintainers have been vocal about downplaying the risk associated with most vulnerabilities reported against curl in the past (a recent example is the article CVE-2020-19909 is everything that is wrong with CVEs), and in this unique case, they are coming out to specifically advertise the risk — adding, "buckle up.

"2023 年 10 月 3 日， curl 的长期维护者和原作者 Daniel Stenberg 在 LinkedIn 和 X（以前的 Twitter）上发布了有关 curl 版本 8.4 的发布的说明.0，其中将包含“可能是很长一段时间内在curl中发现的最严重的安全问题”的修复程序。应该认真对待这个问题，因为 curl 维护者一直在直言不讳地淡化与大多数漏洞相关的风险过去曾针对 curl 进行过报道（最近的一个例子是文章 CVE-2020-19909 就是 CVE 的所有问题），在这种独特的情况下，他们出来专门宣传这种风险 - 添加， “系好安全带。”

The fixed version, 8.4.0, will be released on October 11, 2023, at around 06:00 UTC, per the maintainers.

据维护者称，修复版本 8.4.0 将于 2023 年 10 月 11 日 UTC 时间 06:00 左右发布。

Earlier today (October 4, 2023), the CVEs that will be used to contain vulnerability information were announced in a GitHub discussion.

今天早些时候（2023 年 10 月 4 日），将用于包含漏洞信息的 CVE 在 GitHub 讨论中公布。

CVE-2023-38545 will be assigned to the High severity issue, affecting both libcurl and curl. An additional Low severity issue assigned to CVE-2023-38546 (that only affects libcurl) will also be fixed.

CVE-2023-38545 将被分配给高严重性问题，影响 libcurl 和 curl 。分配给 CVE-2023-38546 的附加低严重性问题（仅影响 libcurl ）也将得到修复。

What we currently know?

我们目前知道什么？

cURL is a popular project, providing both the libcurl library (used for URL transfers) and the curl command-line tool (used for getting and sending data using URLs). cURL was initially released 27 years ago and has been used ubiquitously since 1996.

cURL 是一个流行的项目，提供 libcurl 库（用于 URL 传输）和 curl 命令行工具（用于使用 URL 获取和发送数据）。cURL 最初发布于 27 年前，自 1996 年以来一直得到广泛使用。

Many, if not all, of the Linux distributions that Snyk supports use libcurl, hence, the potential scope of impact is wide.

Snyk 支持的许多（如果不是全部）Linux 发行版都使用 libcurl ，因此，潜在的影响范围很广泛。

How to prepare for remediation

如何准备补救

• Check your container and package usage ahead of time to gauge your exposure
• 提前检查您的容器和包装的使用情况以评估您的暴露程度
• Identify hosts that have curl installed and determine how it was installed
• 识别已安装curl的主机并确定其安装方式
• Check the curl version you are using with curl --version
• 使用 curl --version 检查您正在使用的curl版本

Gauge your exposure

衡量你的曝光度

Ahead of the release of the fixed version of libcurl, you can use Snyk to quickly find the open source projects and container images that might be impacted.

在 libcurl 修复版本发布之前，您可以使用 Snyk 快速查找可能受影响的开源项目和容器镜像。

Navigate to the Dependencies in the Snyk App UI sidebar. Once you're in the Dependencies view, expand the Dependencies filter, and type in "curl". You can select individual versions or tick the Select all shortcut, then click outside of the filter to see the results. This will show you all of the projects that you have that have the libcurl versions you selected. You can further browse the projects and dependencies to gauge your exposure and to prioritize what you should fix first.

导航到 Snyk 应用程序 UI 侧栏中的依赖项。进入“依赖关系”视图后，展开“依赖关系”过滤器，然后输入“curl”。您可以选择单个版本或勾选“全选”快捷方式，然后单击过滤器外部以查看结果。这将显示您拥有的所有具有您选择的 libcurl 版本的项目。您可以进一步浏览项目和依赖项来评估您的风险并确定您应该首先修复的优先级。

Identify hosts that have curl installed

识别已安装curl的主机

Many operating systems ship with curl installed by default, and where it is installed will depend on the operating system and installation method. You can quickly determine if curl is installed and in your path by running: curl --version

许多操作系统默认安装了 curl ，其安装位置取决于操作系统和安装方法。您可以通过运行以下命令快速确定 curl 是否已安装并位于您的路径中：curl --version

If it returns without an error, it will show the version of curl that was first found in your path. Note that it may be installed in more than one location. For example, on recent Apple computers, it's shipped by default in /usr/bin/curl, but may have also been installed via homebrew. You can determine where the version in your path is by running which curl. Some other locations to look on macOS/Linux-based operating systems would be:

如果返回时没有错误，它将显示在您的路径中首次找到的 curl 版本。请注意，它可能安装在多个位置。例如，在最近的 Apple 计算机上，它默认以 /usr/bin/curl 形式提供，但也可能通过自制程序安装。您可以通过运行 which curl 来确定路径中的版本所在的位置。在基于 macOS/Linux 的操作系统上查看的其他一些位置是：

• /bin/curl
• /usr/bin/curl
• /usr/local/bin/curl
• /opt/homebrew/opt/curl

Make sure that you find all the occurrences that need to be updated in preparation for the new version.确保找到所有需要更新的事件，为新版本做好准备。

How to respond once the update is released

更新发布后如何应对

On release day — planned for October 11, 2023 around 06:00 UTC — be prepared to update to version 8.4.0. Once the new version is available, Snyk will have more information and publish additional information about the vulnerability to this blog (and link any follow-up blogs here as well).

在发布日（计划于 2023 年 10 月 11 日 06:00 UTC 左右），准备更新到版本 8.4.0。一旦新版本可用，Snyk 将获得更多信息，并将有关该漏洞的其他信息发布到此博客（并在此处链接任何后续博客）。

Update vulnerable packages and containers

更新易受攻击的包和容器

Use the information that you gathered in preparation to update your projects and container images to pick up the fixed version of libcurl. Different ecosystems and Linux distributions may wait to upgrade their usage of the affected packages only after this time, and the availability of fixes will likely be staggered. For example, some maintainers may wait for upstream fixes prior to releasing updates to their container images or packages, while others might patch in place. In either case, Snyk can help you find and fix the issues.

使用您在准备更新项目和容器映像时收集的信息来获取 libcurl 的修复版本。不同的生态系统和 Linux 发行版可能会等到这个时间之后才升级其对受影响软件包的使用，并且修复程序的可用性可能会错开。例如，一些维护者可能会在发布容器映像或包的更新之前等待上游修复，而其他维护者可能会就地修补。无论哪种情况，Snyk 都可以帮助您查找并解决问题。

Update curl on your devices

更新您设备上的curl

Once a fixed version of the curl binary is available, update the versions that you have installed. We'll be posting some helpful tips on getting it updated in a separate post: there are multiple ways curl can get installed, and the updated methods can vary by operating system.

一旦 curl 二进制文件的固定版本可用，请更新已安装的版本。我们将在另一篇文章中发布一些有关更新它的有用提示：curl 可以通过多种方式进行安装，并且更新的方法可能因操作系统而异。

原文始发于微信公众号（Eonian Sharp）：[YA-20] libcurl 和 curl 中发现高严重性漏洞 (CVE-2023-38545)