Lucene search

K
qualysblogSaeed AbbasiQUALYSBLOG:1FE1E20BA610A28A77748B9061AF07ED
HistoryOct 06, 2023 - 12:14 a.m.

Curl 8.4.0 – Proactively Identifying Potential Vulnerable Assets

2023-10-0600:14:06
Saeed Abbasi
blog.qualys.com
335
curl
libcurl
high-severity
low-severity
cve-2023-38545
cve-2023-38546
qualys
asset visibility
release
update
organizations
qualys unified dashboard
qualys patch management
vulnerabilities
system
inventory

0.003 Low

EPSS

Percentile

70.8%

On Wednesday, October 4, 2023, the curl project maintainers announced pre-notification for curl version 8.4.0 to be released on October 11. This version will fix two new vulnerabilities with one high and one low-severity CVE. The prenotification stated that the high-severity issue is arguably the most critical security flaw identified in curl in recent history.

Details regarding the vulnerabilities and the new version will be disclosed around 06:00 UTC on October 11, 2023.

What is Curl and libcurl?

Curl is a versatile open-source command-line tool for transferring data with URL syntax, supporting many network protocols like SSL, TLS, HTTP, FTP, SMTP, and more. Developers and system administrators prevalently use it to interact with APIs, download files, and create automated workflows among various internet-based tasks.

On the other hand, libcurl serves as the powerhouse behind Curl, a free, client-side URL transfer library that supports the same wide range of protocols. It allows developers to add robust data transfer functionality to their applications, ensuring their software can communicate with servers for tasks like sending HTTP requests, managing cookies, and handling authentication. This makes it a vital tool for developing interconnected and web-aware applications.

What Are Curl Vulnerabilities CVE-2023-38545 & CVE-2023-38546?

Curl 8.4.0 is scheduled for release on October 11. It addresses two vulnerabilities, CVE-2023-38545 and CVE-2023-38546, with the former being of high severity and affecting both libcurl and the curl tool~~,~~ while the latter is of low severity and impacts only libcurl. Specific details on the version range affected or further information about the vulnerabilities are not available pre-release to prevent aiding the identification of the problem areas. More comprehensive information, including details about the CVEs, will be published at 06:00 UTC on the release day. No, API or ABI changes are expected in the forthcoming release.

Vulnerable Versions

With specific version range details undisclosed to prevent pre-release problem identification, the vulnerabilities will be fixed in curl version 8.4.0. The forthcoming high-severity issue in libcurl demands cautious attention, though it might not affect all users. Updating the shared libcurl library is the anticipated universal fix across operating systems. Yet, according to the maintainer, a sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate their libcurl copies.

What Should Organizations Do?

Organizations should urgently inventory and scan all systems utilizing curl and libcurl, anticipating identifying potentially vulnerable versions once details are disclosed with the release of Curl 8.4.0 on October 11. Immediate update implementation upon release is essential to safeguard systems against these pressing vulnerabilities (CVE-2023-38545 and CVE-2023-38546).

How Can Qualys Help?

Using the Qualys Unified Dashboard, you can gain complete asset visibility for CVE-2023-38545 and CVE-2023-38546 vulnerabilities. Additionally, it provides asset counts for those with 'curl/curlib.' After identifying and prioritizing vulnerable assets among your remediation teams, Qualys Patch Management stands ready to help you swiftly mitigate these risks.

Explore the Curl & Libcurl Vulnerabilities | Global Insights dashboard, now available for download.

Qualys Curl & Libcurl Vulnerabilities | Global Insights Dashboard

Inventory Curl and libcurl Using Qualys CSAM

Qualys CSAM makes it easy to identify assets containing curl/libcurl.

The following QQL query will identify assets with curl/libcurl installed:

Query: software: (name: 'libcurl' or name: 'curl')

Figure 1: QQL Query Identifying Assets with Installed curl/libcurl.

Figure 2: Detailed View of Curl 7.29.0 from Identified Assets with curl/libcurl Installed.

The QQL below assists in identifying assets with potentially vulnerable versions of curl/libcurl installed.

Query: software:(name:’curl’ and version < 8.4.0 )

Figure 3: QQL Query for Identifying Assets with Potentially Vulnerable Versions of curl/libcurl Installed.

Tag potentially vulnerable assets with CSAM

In addition to identifying the assets, Qualys also recommends that customers tag the assets with curl/libcurl installed.

Figure 4: Procedure for Tagging Assets with Potentially Vulnerable Versions of curl/libcurl Using CSAM.

Discover Vulnerable Instances Using Qualys VMDR

Once the vulnerability is disclosed, on October 11, each vendor will release backported patches for these vulnerabilities. The Qualys Threat Research Unit (TRU) closely tracking the vulnerability and will release QIDs to detect those backported versions.

Detect Vulnerable Versions of libcurl Using Qualys

Custom Assessment and Remediation (CAR)

The curl command-line tool offers multiple installation methods, from package managers like yum and apt in Linux distributions to direct downloads from the curl website. These downloads, often scripted within Unix shell scripts, make it challenging to locate installation paths and versions of both curl executables and their associated libraries.

Qualys Custom Assessment and Remediation (CAR) allows you to create Custom QID leveraging script from CAR Script Library to detect vulnerable versions of libcurl on your host. You only need to copy the script from Library and follow simple steps to create the custom QID.

Check out the detection script from CAR Script Library and create your own QID for this vulnerability.

Detection on Linux platform

CVE-2023-38545 Detect vulnerable libcurl on Linux - File system scan

This script scans the file system for vulnerable version of libcurl 7.69.0 to and including 8.3.0, for CVE-2023-38545 SOCKS5 heap buffer overflow

You can see the detections under VMDR.

and verify the Vulnerability Result under Vulnerability Details as part of the detection summary

CVE-2023-38546 Detect vulnerable libcurl on Linux - File system scan

This script scans the file system for vulnerable version of libcurl 7.9.1 to and including 8.3.0, for CVE-2023-38546 cookie injection with none file. Create your Custom QID leveraging library script and execute it across your Linux environment.

You can see the detections under VMDR.

Detection on Windows platform

Similarly, create custom QIDs for mentioned vulnerabilities on Windows platform.

Patch Vulnerable Systems Using Qualys Patch Management (PM)

Once all curl vulnerabilities are found in the environment, customers can use Qualys Patch Management to patch vulnerable applications.

As libcurl is a library used by many OSes and applications, it is safe to assume that in the near future, many of those applications will issue a patch to fix this libcurl vulnerability. Qualys Patch Management can patch those applications on Windows, Linux and MacOS.

Qualys Patch Management also offers a way to execute PowerShell scripts on Windows and shell scripts on Linux machines. It can be leveraged to quickly create mitigation steps.

Qualys QID Coverage

Qualys has released QIDs, available starting from version VULNSIGS-2.5.888-2 of the vulnsigs.

QID Title Qualys Release Versions
503379 Alpine Linux Security Update for curl VULNSIGS-2.5.888-2
6000245 Debian Security Update for curl (DSA 5523-1) VULNSIGS-2.5.888-2
691322 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (d6c19e8c-6806-11ee-9464-b42e991fc52e) VULNSIGS-2.5.888-2
199825 Ubuntu Security Notification for curl Vulnerabilities (USN-6429-1) VULNSIGS-2.5.889-2
710772 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12) VULNSIGS-2.5.888-3
907390 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (31288-1) VULNSIGS-2.5.894-2
941303 AlmaLinux Security Update for curl (ALSA-2023:5763) VULNSIGS-2.5.893-1
242183 Red Hat Update for curl (RHSA-2023:5763) VULNSIGS-2.5.893-1
356312 Amazon Linux Security Advisory for curl : ALAS2-2023-2287 VULNSIGS-2.5.891-1
356311 Amazon Linux Security Advisory for curl : ALAS2023-2023-377 VULNSIGS-2.5.891-1
284621 Fedora Security Update for curl (FEDORA-2023-b855de5c0f) VULNSIGS-2.5.891-1
242165 Red Hat Update for curl (RHSA-2023:5700) VULNSIGS-2.5.891-1
755071 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:4043-1) VULNSIGS-2.5.889-2
755070 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:4044-1) VULNSIGS-2.5.889-2
160994 Oracle Enterprise Linux Security Update for curl (ELSA-2023-5763)
VULNSIGS-2.5.894-2

Conclusion

In light of the imminent release of curl 8.4.0 and the critical security flaws it aims to address, organizations must act swiftly to inventory, scan, and update all systems utilizing curl and libcurl. In particular, the gravity of the high-severity vulnerability mandates immediate and cautious attention to safeguarding interconnected and web-aware applications, ensuring the rich data transfer functionality curl and libcurl provide remain unimpaired and secure. The detailed insights into these vulnerabilities and the corrective measures will become pivotal following the clear disclosure slated for 06:00 UTC, October 11, 2023.