Maintainers warn of vulnerability affecting foundational open-source tool

The maintainers of a popular open source tool that serves as a foundational support for many network protocols like SSL, TLS, HTTP, FTP and SMTP are warning of two vulnerabilities that will be announced this coming week.

The issues center on curl, an open-source command-line tool that researchers said is used widely by developers and system administrators “to interact with APIs, download files, and create automated workflows among various internet-based tasks.”

In a GitHub advisory on Wednesday, maintainers of the tool warned that they will be releasing fixes for one high severity vulnerability – CVE-2023-38545 – and a low severity issue tagged as CVE-2023-38546.

A curl update will be released on October 11 to address both issues. CVE-2023-38545 affects both curl and libcurl, the library behind the tool, but CVE-2023-38546 only affects libcurl.

“The one rated HIGH is probably the worst curl security flaw in a long time,” a maintainer said on GitHub.

“I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The ‘last several years’ of versions is as specific as I can get. We have notified the distros mailing list allowing the member distributions to prepare patches. (No one else gets details about these problems before October 11 without a support contract and a good reason.) Now you know. Plan accordingly.”

Melissa Bischoping, director of endpoint security research at Tanium, said curl is widely used as both a standalone utility and one that is included as part of other software.

The widespread use of the utility, she said, means that organizations should take advantage of the advance heads-up to begin scoping their environment.

Bischoping explained that while it is possible that this vulnerability could manifest in such a way that it won’t affect every implementation of curl, given the advanced notice from the lead developer himself and the widespread impact it could have, it would be “prudent to plan for a significant event even if the actual impact ends up being less severe.”

“As an industry, it’s important to avoid caving to fear, uncertainty, and doubt, while balancing that with preparedness and patch management planning to accommodate those ‘worst case scenarios.’ I appreciate the curl developers doing what they can to offer a heads-up and attempting to control the alarmist reactions while we all prepare for the patch on October 11,” she said.

Qualys’ Saeed Abbasi published a blog post explaining that libcurl allows developers to “add robust data transfer functionality to their applications, ensuring their software can communicate with servers for tasks like sending HTTP requests, managing cookies, and handling authentication.”

“This makes it a vital tool for developing interconnected and web-aware applications,” he said.

The vulnerability caps a whirlwind month for open source security. The White House hosted a forum with open source security experts before unveiling a roadmap for how cybersecurity efforts in the field would be addressed going forward.

But since that meeting, multiple open source vulnerabilities have caused alarm. The Cybersecurity and Infrastructure Security Agency and cybersecurity researchers have warned that vulnerabilities affecting two popular open source tools – libwebp and libvpx – are currently being exploited by hackers. Google said it has evidence of exploitation by unnamed commercial spyware vendors.

On Tuesday, Amazon Web Services warned users of a vulnerability affecting TorchServe — a tool used by some of the world’s biggest companies in building artificial intelligence models into their businesses.

Multiple people said the recent incident underscores the government-backed push for software bills of materials (SBOMs), which will help organizations better understand what tools the software they use relies on.

Bischoping said the announcement about the issues affecting Curl and libcurl are “yet another example of the importance of software bill-of-materials reporting to enable organizations to find anything that uses a component such as curl.”

“We’ve seen no shortage of similar vulnerabilities in utilities such as this one over the last few years, and the problem will continue to be challenging to solve until we as an industry do better at standardizing and including bill-of-materials documentation as a default,” Bischoping added.