Document toolboxDocument toolbox

CURL vulnerability information (CVE-2023-38545)

Latest update date of this article

2023-10-12

General information

This article contains information related to curl vulnerability CVE-2023-38545.

CURL/libCURL versions starting with 7.69.0 and before 8.4.0 are affected by a heap overflow flaw, allowing hackers to potentially execute code on systems with a specific SOCKS5 configuration.

Details: curl - SOCKS5 heap buffer overflow - CVE-2023-38545

Nexus SaaS customers

If you are a Nexus SaaS (Software as a Service) customer, the mitigation and patching is performed by the SaaS delivery team. Our SaaS services are monitored 24/7/365 by our on-call rotation, and we have also updated our monitoring and routines to deal with this specific CVE. 

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Component

Affected versions

Comment

Component

Affected versions

Comment

Smart ID Certificate Manager

-

(lib)CURL not included in the product

Nexus OCSP Responder

-

(lib)CURL not included in the product

Nexus Timestamp Server

-

(lib)CURL not included in the product

Smart ID Desktop / Mobile App

-

(lib)CURL not included in the product

Personal Desktop Client

Included in versions <= 5.9

Used in Personal Desktop Client. Either disable SOCKS5 on the clients or uninstall Personal Desktop Client as long as we have no patched version. Customers who are using SOCKS5 proxies might be at risk.

 

Nexus Card SDK

Included in versions < 5.9, 
not exploitable

Only used for internal CardSDK JPKIEncoder communcation (localhost, not over the network)

Smart ID Physical Access

-

(lib)CURL not included in the product

Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)

Included in versions for docker image only (via Ubuntu 22.04 base image),

not exploitable unless an affected application within the container is run explicitly

(lib)CURL not used by the web applications

Smart ID Identity Manager / PRIME

Included in versions 22.04.0 and 22.04.1 for Docker only (7.81.0 via the Ubuntu 22.04 base image),
not exploitable unless an affected application within the container is run explicitly

  • (lib)CURL not used by the web applications

  • (lib)CURL not included in WAR deployments

  • (lib)CURL not included in Docker images for IDM / PRIME 21.10.x and below

  • Docker images for IDM 22.04.2 and above include version 7.68.0 (not affected) via the Ubuntu 20.04 base image

Smart ID Self-Service

Smart ID Messaging component - Hermod

Included in versions < 3.6.3, 
not exploitable and used in older versions

(lib)CURL will not be included in the newest product release after 3.6.2

Mitigation Options

  • Upgrade to a patched version

  • Ensure SOCKS5 hostname proxying is disabled on systems/containers that include a vulnerable version of CURL and/or libCURL:

    • do not set any proxy environment variable (such as http_proxy, HTTPS_PROXY or ALL_PROXY) to use the scheme socks5h://

    • and do not use --socks5-hostname on the curl command-line utility

    • and do not use  --proxy or --preproxy set to use the scheme socks5h:// on the curl command-line utility

Attack Flow

  1. A vulnerable CURL utility or another libCURL-based application is configured to use a SOCKS5 proxy with included hostname-resolution (socks5h).

  2. The application sends an HTTP request through libCURL to a malicious HTTP server.

  3. The malicious server responds with a 30x HTTP redirect, containing a specially-crafted, oversized hostname (>255 bytes) in the Location header.

  4. Depending on the speed of the SOCKS5 handshake a vulnerable code path is taken where the hostname is copied by libCURL into a buffer of insufficient size.

  5. Heap overflow resulting in remote code execution and/or denial of service.

Further Information 

Blog post with technical background information: https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/

Disclaimer

Nexus has made effort to make this information accurate and reliable. However, the information, including the recommendations provided by Nexus, is provided "as is" without warranty of any kind. Nexus disclaims all warranties, either expressed or implied and Nexus shall in no event be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, which may arise as a result of your use, or inability to use, this information.

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions