PRIOn Logo

CVE-2023-38545 Heap overflow

Urgent
Remediate Within one Week

CVE Information

Original CVE data

Published:
Updated:

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

CWE: CWE-787
CVSS v2-
CVSS v39.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
https://curl.se/docs/CVE-2023-38545.html
https://security.netapp.com/advisory/ntap-20231027-0009/
https://lists.fedoraproject.org/archives/list/[email protected]/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/
https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/
https://support.apple.com/kb/HT214063
https://support.apple.com/kb/HT214057
https://support.apple.com/kb/HT214058
https://support.apple.com/kb/HT214036
http://seclists.org/fulldisclosure/2024/Jan/34
http://seclists.org/fulldisclosure/2024/Jan/37
http://seclists.org/fulldisclosure/2024/Jan/38
https://security.netapp.com/advisory/ntap-20240201-0005/
https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868
Affected Vendors

Fedoraproject - (1)

Haxx - (1)

Microsoft - (8)

Netapp - (3)

Basic Analysis

Common vulnerability metrics

Vulnerabilty type as detected by PRIOnengine

Heap overflow

CVSS Scores as calculated by PRIOnengine
CVSS v27.5
AV:N/AC:L/AU:N/C:P/I:P/A:P
CVSS v38.4
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MITRE CWE Top 25

Vulnerability weakness type is in the top 25 CWEs according to MITRE. View Mitre Top 25 CWEs

Exploits

Exploits are available either through exploit packs, Github repos or the world wide web in general.

Active Exploitation

Vulnerability is not in CISA's Known Exploited Vulnerabilities (KEV) catalog. See the KEV Catalog

Social Network Activity

-

Threat Actor Activity

No sightings of the vulnerability within threat reports.

Cybersecurity Frameworks

How the vulnerability maps against various cybersecurity frameworks

-

Compliance Impact

How the submited vulnerability affects compliance

PCI DSS v3.2.1-6.5.2 - Buffer Overflows

Web Application Security Frameworks

Applicable if the issue likely affects a web application

WASC-19 - SQL Injection