CURL vulnerability information (CVE-2023-38545)
Latest update date of this article
2023-10-12
General information
This article contains information related to curl vulnerability CVE-2023-38545.
CURL/libCURL versions starting with 7.69.0 and before 8.4.0 are affected by a heap overflow flaw, allowing hackers to potentially execute code on systems with a specific SOCKS5 configuration.
Details: https://curl.se/docs/CVE-2023-38545.html
Nexus SaaS customers
If you are a Nexus SaaS (Software as a Service) customer, the mitigation and patching is performed by the SaaS delivery team. Our SaaS services are monitored 24/7/365 by our on-call rotation, and we have also updated our monitoring and routines to deal with this specific CVE.
Nexus components
This list contains the components from Nexus, and their respective affected versions.
Component | Affected versions | Comment |
|---|---|---|
Smart ID Certificate Manager | - | (lib)CURL not included in the product |
Nexus OCSP Responder | - | (lib)CURL not included in the product |
Nexus Timestamp Server | - | (lib)CURL not included in the product |
Smart ID Desktop / Mobile App | - | (lib)CURL not included in the product |
Personal Desktop Client | Included in versions <= 5.9 | Used in Personal Desktop Client. Either disable SOCKS5 on the clients or uninstall Personal Desktop Client as long as we have no patched version. Customers who are using SOCKS5 proxies might be at risk. |
Nexus Card SDK | Included in versions < 5.9, | Only used for internal CardSDK JPKIEncoder communcation (localhost, not over the network) |
Smart ID Physical Access | - | (lib)CURL not included in the product |
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG) | Included in versions for docker image only (via Ubuntu 22.04 base image), not exploitable unless an affected application within the container is run explicitly | (lib)CURL not used by the web applications |
Smart ID Identity Manager / PRIME | Included in versions 22.04.0 and 22.04.1 for Docker only (7.81.0 via the Ubuntu 22.04 base image), |
|
Smart ID Self-Service | ||
Smart ID Messaging component - Hermod | Included in versions < 3.6.3, | (lib)CURL will not be included in the newest product release after 3.6.2 |
Mitigation Options
Upgrade to a patched version
Ensure SOCKS5 hostname proxying is disabled on systems/containers that include a vulnerable version of CURL and/or libCURL:
do not set any proxy environment variable (such as
http_proxy,HTTPS_PROXYorALL_PROXY) to use the schemesocks5h://and do not use
--socks5-hostnameon thecurlcommand-line utilityand do not use
--proxyor--preproxyset to use the schemesocks5h://on thecurlcommand-line utility
Attack Flow
A vulnerable CURL utility or another libCURL-based application is configured to use a SOCKS5 proxy with included hostname-resolution (socks5h).
The application sends an HTTP request through libCURL to a malicious HTTP server.
The malicious server responds with a 30x HTTP redirect, containing a specially-crafted, oversized hostname (>255 bytes) in the Location header.
Depending on the speed of the SOCKS5 handshake a vulnerable code path is taken where the hostname is copied by libCURL into a buffer of insufficient size.
Heap overflow resulting in remote code execution and/or denial of service.
Further Information
Blog post with technical background information: https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
Disclaimer
Nexus has made effort to make this information accurate and reliable. However, the information, including the recommendations provided by Nexus, is provided "as is" without warranty of any kind. Nexus disclaims all warranties, either expressed or implied and Nexus shall in no event be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, which may arise as a result of your use, or inability to use, this information.