Introduction on CVE-2023-38545
Is your organization prepared for the “most dangerous” curl vulnerability in years? The maintainers of curl, one of the most widely used software libraries for transferring data over the internet, have issued a warning about a high-severity vulnerability, known as
CVE-2023-38545. With a release date set for the security patch, let’s dive into what we know so far and why you should pay attention.
What’s the Issue?
- A high-severity vulnerability, CVE-2023-38545, has been found in curl, a widely-used data transfer tool and library.
Why It Matters
- Daniel Stenberg, the core maintainer of curl, describes this as the “worst security problem” in years.
- Curl is used in countless systems, from servers to medical devices, amplifying the risk.
What’s Being Done?
- A security patch is set to release on October 11, along with curl version 8.4.0.
- The release has been expedited due to the severity of the vulnerability.
How to Prepare
- Organizations are urged to use a Software Bill of Materials (SBOM) to identify affected assets quickly.
- Risk assessment programs help to identify vulnerable instances.
- Current scanners can’t detect this vulnerability due to lack of metadata.
- Immediate action will be needed upon the release of the security patch.
What is Curl?
Curl is a command-line tool and library for sending and receiving data via various network protocols. First introduced in 1996, curl has undergone multiple name changes but has remained a cornerstone for internet communication. The library version, known as libcurl, is even more prevalent, with over ten billion installations worldwide.
The Severity of CVE-2023-38545
Daniel Stenberg, the core maintainer of curl, has described CVE-2023-38545 as the “worst security problem found in curl in a long time.1” While specific details are withheld to prevent exploitation, the vulnerability affects both the curl tool and libcurl library. This marks the 40th ‘high’ severity vulnerability fixed in the software since its inception.
Why the Urgency?
The vulnerability is so severe2 that the release cycle has been expedited. The security patch will be released on October 11, along with version 8.4.0 of the package. This urgency is similar to a situation last year involving the OpenSSL library, raising eyebrows across the cybersecurity community.
Given curl’s ubiquity—in operating systems, servers, medical devices, and even cars—the potential scope of this vulnerability is vast. From Dockerfiles to modern operating systems, libcurl is everywhere. Its widespread use as a dependency in numerous packages amplifies the risk.
Current vulnerability scanners can’t detect this issue due to the lack of published metadata. This underscores the importance of having a queryable Software Bill of Materials (SBOM). Utilizing an SBOM3 can help organizations identify affected assets quickly, enabling immediate action upon the release of the security patch.
Request your cybersecurity provider to start the risk assessment program to help your organization to identify instances of CVE-2023-38545. This program can provide insights into your software environment, revealing where the vulnerable libcurl versions are in use.
Preparing for the Patch
The security update is expected on October 11, making it crucial for organizations to prepare their systems for immediate action. Keep an eye on plugin releases that will help identify affected systems and apply the necessary patches.
What is the Difference Between curl and libcurl?
Libcurl is the development library that allows other programs to use the curl tool. In contrast, curl is the CLI tool or frontend used in scripts or shell prompts.
When Will Patches be Available?
Patches will be released on October 11, alongside curl version 8.4.04.
Have These CVEs Been Exploited?
As of now, there is no information regarding the exploitation of these vulnerabilities in the wild.
Don’t Just Wait
CVE-2023-38545 is shaping up to be a significant security concern. With its widespread use and high severity, organizations should take immediate steps to identify affected assets and prepare for the upcoming patch. Stay vigilant and keep your systems updated to mitigate the risks associated with this vulnerability.
- https://www.linkedin.com/posts/danielstenberg_curl-activity-7114871742585577472-4OuW/ ↩︎
- https://snyk.io/blog/curl-high-severity-vulnerability-oct-2023/ ↩︎
- https://www.rezilion.com/blog/cve-2023-38545-a-high-severity-curl-and-libcurl-cve-to-be-published-on-october-11th/ ↩︎
- https://github.com/curl/curl/discussions/12026 ↩︎