The developers behind the Curl library are set to release a patch for two as-yet-undisclosed vulnerabilities that present a serious risk to the thousands of software applications that use the library every day.
Curl 8.4.0 will drop at 6:00 UTC on October 11, less than a month after the release of Curl 8.3.0, in a scramble to address the flaws before attackers can exploit them.
The vulnerabilities are tracked as CVE-2023-38545 and CVE-2023-38546, with severity ratings of ‘high’ and ‘low’ respectively.
Curl creator Daniel Stenberg stated that CVE-2023-38545 is “probably the worst curl security flaw in a long time”.
Stenberg added that he was unable to give specific details about the version range affected as it would reveal too much about the specific triggers for the vulnerability. He did, however, indicate that the flaw applies for every version of Curl from the past few years.
What the Curl vulnerability could mean for developers
Curl (short for ‘Client for URL’ and often stylized as ‘cURL’) is an open source library used to transfer data across protocols such as HTTP and HTTPS on Windows, Linux, and macOS. The Curl tool also facilitates the transfer of data through the command line.
On their official website, the team behind Curl claim that the library is “used daily by virtually every internet-using human on the globe”, and is present as an internet transfer engine across twenty billion instances globally.
The library is also included on devices such as routers, printers, and smartphones.
Trusted Linux distro contacts such as Arch Linux, Red Hat, Oracle, and Slackware have been given advanced details of the vulnerability to ready patches ahead of more details being published.
Effectively collect, aggregate, and correlate security data.
“The range of possible vulnerabilities can include buffer overflows, for example, which can lead to anything from application crashes to remote code execution (RCE), allowing attackers to run arbitrary code on affected systems,” said Henrik Plate, security researcher at application security startup Endor Labs.
“Another possibility includes erroneous SSL/TLS certificate validation, which could allow attackers to spoof legitimate servers or run man-in-the-middle attacks.
“A curl vulnerability could affect applications that make programmatic use of libcurl, as well as any system that instals curl, e.g., through the yum or apt package managers or simply by downloading the binary from curl’s webpage.
“This also includes, for example, Docker containers. Moreover, it is very likely that a successful attack exploiting the vulnerabilities would require the attacker to provide a URL to the vulnerable instance of curl/libcurl.”
Groundhog day for open source risk
Due to their widespread use, open source libraries such as Curl can present a serious risk if they are found to contain high or critical risk vulnerabilities.
After the severe consequences of vulnerabilities such as Heartbleed and Log4Shell, many firms chose to scale back their reliance on open source software.
Further vulnerabilities such as the second-ever OpenSSL critical vulnerability, disclosed in October 2022, set the hearts of security teams racing and underlined the threat posed by flaws in open source software.
The open source community has faced existential uncertainty in 2023, and governments have made moves to shore up the open source supply chain, such as with the EU’s Cyber Resilience Act (CRA).
The CRA has been met with harsh criticism from the open source community, with some having billed it a ‘death knell’ for open source software the world over.
Leaders in the space have called for permanent government funding to support upkeep on vital libraries whose survival and resilience is currently entirely reliant on volunteer developers.
Some have questioned the extent to which this would be a viable long-term solution, while purists within the community have also argued that this could harm the impartiality and independence of open source projects.
