Launch your patch engines – Curl will be updated tomorrow to fix two weaknesses, one of which lead developer Daniel Stenberg described as “probably the worst curl security flaw in a long time.”
Curl 8.4.0 will be released on October 11 at roughly 0600 UTC (0800 CEST, 0700 BST, 0200 EST, 2300 PDT) to address CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl.
Because there are no API or ABI changes in the release, the update should go smoothly.
CVE-2023-38545 is classified as a critical vulnerability. Stenberg provided no details regarding either fault other than the fact that the normal development process had to be shortened in order to get the solutions out as soon as possible.
“I cannot disclose any information about which version range is affected because it would help identify the problem (area) with a very high accuracy, so I cannot do that ahead of time,” Stenberg added.
“The ‘last several years’ of versions is as specific as I can get.”
Curl, a command line file transfer utility, is one of the tools that make up the internet’s backbone. According to the project team, the service is used to transport data in command lines and scripts and can be found in a variety of linked devices ranging from printers to autos.
It claims to be “the internet transfer engine for thousands of software applications in over twenty billion installations,” and further states that “curl is used daily by virtually every internet-using human on the globe.”
According to Stenberg, it originally appeared in 1998, however, its predecessors, urlget and httpget, date back to 1996. Stenberg came up with the name cURL because “the word contains URL and already then the tool worked primarily with URLs, and I thought that it was fun to partly make it a real English word ‘curl’ but also that you could pronounce it ‘see URL’ as the tool would display the contents of a URL.”
A backronym was then coined: “Curl URL Request Library.”
A last-minute fix is probably not the nicest 25th-anniversary present for the curling team, but here we are.
Sonatype security researcher Ax Sharma expressed alarm about the vulnerability, saying, “This isn’t Log4j reloaded as some are painting it.”
“Most curl usage is as a command-line utility, distributed as an operating system package and used as a system-level service provider or utility, which means that normal OS updates should take care of this,” he continued. It’s not like Log4j, which is embedded as a dependency many layers deep and has no direct update capability.”
However, Sharma emphasized that this is still a nasty vulnerability – the HIGH severity classification is a handy clue – and warned: “The most likely attack surface people should watch for when it comes to vulnerabilities is docker base images that aren’t receiving updates and which happen to have an application that leverages the vulnerable libcurl.”
He went on to say: “Overall, the best thing to do here is to not panic, but to install the patched packages ASAP, and don’t forget that containers can also contain operating systems – so keep them in mind.”