Here's what you need to know about the upcoming curl security patches

Digital umbrella in neon blue blocking rainfall made up of neon red binary code, connoting antivirus
(Image credit: Getty Images)

The developers behind the Curl library are set to release a patch for two as-yet-undisclosed vulnerabilities that present a serious risk to the thousands of software applications that use the library every day.

Curl 8.4.0 will drop at 6:00 UTC on October 11, less than a month after the release of Curl 8.3.0, in a scramble to address the flaws before attackers can exploit them. 

The vulnerabilities are tracked as CVE-2023-38545 and CVE-2023-38546, with severity ratings of ‘high’ and ‘low’ respectively. 

Curl creator Daniel Stenberg stated that CVE-2023-38545 is “probably the worst curl security flaw in a long time”.

Stenberg added that he was unable to give specific details about the version range affected as it would reveal too much about the specific triggers for the vulnerability. He did, however, indicate that the flaw applies for every version of Curl from the past few years.

What the Curl vulnerability could mean for developers

Curl (short for ‘Client for URL’ and often stylized as ‘cURL’) is an open source library used to transfer data across protocols such as HTTP and HTTPS on Windows, Linux, and macOS. The Curl tool also facilitates the transfer of data through the command line.

On their official website, the team behind Curl claim that the library is “used daily by virtually every internet-using human on the globe”, and is present as an internet transfer engine across twenty billion instances globally. 

The library is also included on devices such as routers, printers, and smartphones.

Trusted Linux distro contacts such as Arch Linux, Red Hat, Oracle, and Slackware have been given advanced details of the vulnerability to ready patches ahead of more details being published.

RELATED RESOURCE

A Cisco’s guide to log management for cybersecurity

(Image credit: Graylog)

Effectively collect, aggregate, and correlate security data. 

DOWNLOAD FOR FREE

“The range of possible vulnerabilities can include buffer overflows, for example, which can lead to anything from application crashes to remote code execution (RCE), allowing attackers to run arbitrary code on affected systems,” said Henrik Plate, security researcher at application security startup Endor Labs.

“Another possibility includes erroneous SSL/TLS certificate validation, which could allow attackers to spoof legitimate servers or run man-in-the-middle attacks.

“A curl vulnerability could affect applications that make programmatic use of libcurl, as well as any system that instals curl, e.g., through the yum or apt package managers or simply by downloading the binary from curl’s webpage. 

“This also includes, for example, Docker containers. Moreover, it is very likely that a successful attack exploiting the vulnerabilities would require the attacker to provide a URL to the vulnerable instance of curl/libcurl.”

Groundhog day for open source risk

Due to their widespread use, open source libraries such as Curl can present a serious risk if they are found to contain high or critical risk vulnerabilities. 

After the severe consequences of vulnerabilities such as Heartbleed and Log4Shell, many firms chose to scale back their reliance on open source software

Further vulnerabilities such as the second-ever OpenSSL critical vulnerability, disclosed in October 2022, set the hearts of security teams racing and underlined the threat posed by flaws in open source software.

The open source community has faced existential uncertainty in 2023, and governments have made moves to shore up the open source supply chain, such as with the EU’s Cyber Resilience Act (CRA).

The CRA has been met with harsh criticism from the open source community, with some having billed it a ‘death knell’ for open source software the world over.

Leaders in the space have called for permanent government funding to support upkeep on vital libraries whose survival and resilience is currently entirely reliant on volunteer developers. 

Some have questioned the extent to which this would be a viable long-term solution, while purists within the community have also argued that this could harm the impartiality and independence of open source projects.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.