CURL and the upcoming vulnerability: a simple guide for IT and OT leadership

What is CURL?

Imagine a tool that lets computers talk to each other over the internet. That's what CURL (often just called "curl") does. It's like a digital messenger that helps computers send and receive data online. People might use it to download files, check information from a website, or even send messages to another computer.

Where might you find CURL?

While many know curl as a tool you type into on the computer (like when using a command line), it's also hidden inside lots of software and apps. This is because curl has a powerful engine inside it, called libcurl, which developers use to add online communication features to their software.

Here's where you might find curl or libcurl:

1. Downloading and uploading: Many tools that download files from the internet or upload files somewhere else use curl.
2. Software and apps: When an app on your phone or a software on your computer needs to fetch some online data or talk to another system, it might be using libcurl to do that.
3. Python and other programming: Coders can use curl in their scripts. For example, in Python, there's a version called PyCurl.

What was the problem?

In simple terms, curl had a bug where, under certain conditions, it could mishandle website names (hostnames) that were too long. This could lead to a “buffer overflow” – think of it as overfilling a glass with water, where the excess water can cause problems.

How did this happen?

1. The issue arose when curl was told to use a particular kind of proxy (SOCKS5) and the website's name was too long.
2. Curl tried to handle this by resolving the name itself. But due to a glitch, it sometimes copied the too-long name into a spot it shouldn't have.
3. This mishandling was only a risk when certain settings were used and the proxy handshake (think of it as a digital handshake to establish a connection) was slow.

How serious was this?

Pretty serious. If someone with bad intentions knew about this flaw, they could craft special website names to exploit it.

Am I at risk?

If you or your systems use curl versions between 7.69.0 to 8.3.0, then yes. But if you've been updated to 8.4.0 or if you're using a version older than 7.69.0, you're safe.

What should I do?

1. Upgrade ASAP: The best way to protect yourself is to upgrade to curl version 8.4.0.
2. Apply a Patch: If you can't upgrade immediately, there's a patch available to fix this in older versions.
3. Avoid Certain Settings: If you're using the affected versions of curl, avoid using SOCKS5 proxies or setting certain environment variables (like socks5h://).

Anything else I should know?

This issue was reported at the end of September 2023 and was fixed in the release of curl 8.4.0 on October 11, 2023. So kudos to the curl team for a quick response!

A big shoutout to Jay Satiro who not only reported the issue but also provided the fix.

For more information on how penetration testing or Endpoint Detection and Response can help you defend your organisation against the latest vulnerabilities, speak to a cybersecurity expert today.