Officials warn of vulnerability affecting fundamental open source tool


The maintainers of a popular open source tool that serves as fundamental support for many network protocols such as SSL, TLS, HTTP, FTP, SMTP are warning of two vulnerabilities that will be announced next week.

The problems center around curl, an open-source command-line tool that researchers say is widely used by developers and system administrators “to interact with APIs, upload files, and create automated workflows between various Internet-based tasks.”

In a GitHub Reviews On Wednesday, the tool’s maintainers warned that they would release patches for a high-severity vulnerability — CVE-2023-38545 — and a low-severity issue marked as CVE-2023-38546.

A curl update will be released on October 11 to address both of these issues. CVE-2023-38545 affects both curl and libcurl, the library behind the tool, but CVE-2023-38546 only affects libcurl.

“The one that was rated HIGH is probably the worst curl security flaw in a long time,” an maintainer said on GitHub.

“I cannot disclose any information about the affected version range, as this would help identify the problem (area) with very high precision, so I cannot do this in advance. The “late years” versions are as accurate as possible. We have notified the distribution mailing list allowing member distributions to prepare patches. (No one else gets details on these issues until October 11 without a support contract and a good reason.) Now you know. Plan accordingly.

Melissa Bischoping, director of endpoint security research at Tanium, said curl is widely used both as a standalone utility and as part of other software.

The utility’s widespread use, she said, means organizations should take advantage of the head start to begin assessing their environment.

Bischoping explained that while it is possible that this vulnerability manifests itself in such a way that it does not affect every curl implementation, given the advance warning from the lead developer himself and the widespread impact that If it might have, it would be prudent to plan for a large event even if the actual impact ends up being less severe.

“As an industry, it is important to avoid giving in to fear, uncertainty and doubt, while balancing this with preparedness and patch management planning to account for “worst-case scenarios.” “. I appreciate that the curl developers are doing what they can to provide information and try to control fear-mongering as we all prepare for the October 11 patch,” she said.

Saeed Abbasi of Qualys published a blog article explaining that libcurl allows developers “to add robust data transfer functionality to their applications, ensuring that their software can communicate with servers for tasks such as sending HTTP requests, handling cookies, and managing of authentication”.

“This makes it an essential tool for developing interconnected, web-friendly applications,” he said.

This vulnerability caps a turbulent month for open source security. The White House has already hosted a forum with open source security experts unveil a roadmap on how cybersecurity efforts in this area will be approached in the future.

But since that meeting, several open source vulnerabilities have sparked concern. The Cybersecurity and Infrastructure Security Agency and cybersecurity researchers have warned that vulnerabilities affecting two popular open source tools – libwebp And libvpx – are currently exploited by pirates. Google said it had evidence of exploitation by anonymous commercial spyware providers.

Tuesday, Amazon Web Services warned users of a vulnerability affecting TorchServe — a tool used by some of the world’s largest companies to integrate artificial intelligence models into their businesses.

Several people said the recent incident highlighted the government supported push for software nomenclatures (SBOM)which will help organizations better understand what tools the software they use relies on.

Bischoping said the announcement about issues affecting Curl and libcurl is “yet another example of the importance of software bill of materials reporting in allowing organizations to find anything that uses a component like curl.”

“We have seen no shortage of similar vulnerabilities in utilities such as this over the past few years, and the problem will continue to be difficult to resolve until we, as an industry, “We can standardize better and include BOM documentation as a default,” added Bischoping.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment