On October 11, 2023, the maintainers of Curl package released 8.4.0 which addressed two security issues. Trellix products and services make use of this Opensource software to perform remote calls to servers and services hosted on the internet. Some products have a vulnerable version of the package, and do not support SOCK proxies, making them less likely to be exploited.
Impact
-
CVE-2023-38545 - (Severity: High) A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.
- CVE-2023-38546 (Severity: Low) A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met.
Recommendation
Verify that you have applied the latest updates. Impacted users should install the relevant updates or hotfixes. For full instructions and information, see Knowledge Base article SB10409, Security Bulletin – Trellix products’ status for two libcurl vulnerabilities (CVE-2023-38545, CVE-2023-38546).
For more information on Trellix coverage, see KB96814 - Trellix Coverage for CVE-2023-38545 and CVE-2023-38546– Libcurl Library Vulnerabilities.