{"id":1869,"date":"2023-10-11T21:32:40","date_gmt":"2023-10-11T21:32:40","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=77585"},"modified":"2023-10-11T21:32:40","modified_gmt":"2023-10-11T21:32:40","slug":"long-awaited-curl-vulnerability-flops","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/10\/11\/long-awaited-curl-vulnerability-flops\/","title":{"rendered":"Long-awaited curl vulnerability flops"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Long-awaited curl vulnerability flops | CyberScoop<\/title> <meta name=\"description\" content=\"The flaw in the widely used open source software package was expected to be the next great catastrophe in computer security.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/curl-vulnerability-open-source\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Long-awaited curl vulnerability flops\"> <meta property=\"og:description\" content=\"The flaw in the widely used open source software package was expected to be the next great catastrophe in computer security.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/curl-vulnerability-open-source\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-10-11T21:32:40+00:00\"> <meta property=\"article:modified_time\" content=\"2023-10-11T21:43:41+00:00\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1697142927g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1696961159g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1696959155g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/77585\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=77585\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcurl-vulnerability-open-source%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcurl-vulnerability-open-source%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-77585 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/curl-vulnerability-open-source\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.622171945701\">\n<div class=\"single-article__header-content\" readability=\"29.192307692308\">\n<p> The flaw in the widely used open source software package was expected to be the next great catastrophe in computer security. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"357\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops.png?resize=640%2C357&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png?resize=768,428 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png?resize=1024,571 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png?resize=1536,856 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png?resize=600,334 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png?resize=1200,669 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/long-awaited-curl-vulnerability-flops-1.png?resize=1500,836 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Getty Images <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.790550838232\"><body readability=\"82.519681556833\"><\/p>\n<p>A pair of highly anticipated vulnerabilities revealed on Wednesday in a ubiquitous piece of open source software appear to be far less threatening than many researchers feared.<\/p>\n<p>The two vulnerabilities impact the curl and libcurl programs, which are believed to have been installed <a href=\"http:\/\/daniel.haxx.se\/blog\/2021\/10\/15\/curl-installations-per-capita\/\">some 50 billion times<\/a> and are used to transfer files using network protocols. The two programs represent basic building blocks of the internet, and a sufficiently severe bug impacting them might impact nearly anything connecting to a web server.<\/p>\n<p>The release of two bugs had been <a href=\"http:\/\/thehackernews.com\/2023\/10\/security-patch-for-two-new-flaws-in.html\">highly anticipated<\/a> <a href=\"http:\/\/theregister.com\/2023\/10\/11\/vulnerabilities_in_curl_receive_patches\/\">in the security<\/a> <a href=\"http:\/\/therecord.media\/curl-vulnerabilities-to-be-announced-open-source\">community<\/a>, with the program\u2019s lead developer, Daniel Stenberg, <a href=\"https:\/\/github.com\/curl\/curl\/discussions\/12026\">describing<\/a> the bug as \u201cthe worst curl security flaw in a long time.\u201d<\/p>\n<p>But security researchers expecting the next Log4Shell \u2014 an easily exploitable vulnerability with a huge install base \u2014 were disappointed<strong><em> <\/em><\/strong>that the bug is only exploitable in rare circumstances.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>A maintainer for Redhat\u2019s CentOS who released a fix <a href=\"https:\/\/twitter.com\/bagder\/status\/1711980976773980336\">around 14 hours earlier than anticipated<\/a> revealed the vulnerability to be a buffer overflow issue that can only be taken advantage of under highly specific circumstances. Researchers awaiting the patch either breathed a sigh of relief or <a href=\"https:\/\/twitter.com\/HackingLZ\/status\/1711913783768072668\">expressed<\/a> <a href=\"https:\/\/twitter.com\/_mmpte_software\/status\/1711943922396619084\">annoyance<\/a> that the bug was not as serious as initially thought.<\/p>\n<p>The more severe of the two vulnerabilities revealed Wednesday revolves around using curl to connect through SOCKS5 \u2014 a proxy frequently used by Tor and virtual private networks \u2014 from a malicious website that has a hostname longer than 255 bytes. Stenberg theorized that the most \u201c<a href=\"https:\/\/mastodon.social\/@bagder\/111214995699589027\">realistic<\/a>\u201d use case is someone using Tor to visit a malicious HTTPS site that takes advantage of this specific vulnerability.<\/p>\n<p>\u201cThere\u2019s a big difference between vulnerabilities where an attacker can scan the internet and exploit anyone who is running vulnerable versions,\u201d said David Brumley, a cybersecurity professor at Carnegie Mellon University and the CEO of the cybersecurity firm ForAllSecure. \u201cThis is one where if someone goes to a malicious website and they have a vulnerable version they can get exploited.\u201d<\/p>\n<p>Computer security experts concluded Wednesday that setups at risk of being attacked using the vulnerability were far more likely to get hit using easier-to-execute techniques. \u201cIf you accept data, not validate it, and just blindly pass it to libraries like curl, you will likely have other problems that are easier to exploit,\u201d Johannes B. Ullrich, the dean of research at the SANS Technology Institute <a href=\"http:\/\/isc.sans.edu\/forums\/diary\/CVE202338545+curl+SOCKS5+oversized+hostname+vulnerability+How+bad+is+it\/30304\/\">wrote<\/a>. <\/p>\n<p>In revealing the vulnerability, Stenberg also <a href=\"http:\/\/daniel.haxx.se\/blog\/2023\/10\/11\/how-i-made-a-heap-overflow-in-curl\/?ref=thestack.technology\">explained<\/a> in a blog post how the bug occurred. \u201cReading the code now it is impossible not to see the bug. Yes, it truly aches having to accept the fact that I did this mistake without noticing and that the flaw then remained undiscovered in code for 1315 days. I apologize. I am but a human,\u201d he wrote.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Stenberg\u2019s explanation offers a rare bit of insight about how bugs can happen in the first place, sharing why the new feature was introduced and his thinking when he wrote the code that resulted in the bug.<\/p>\n<p>Stenberg pointed out that using a memory-safe language would have avoided the entire problem but noted that the transition to these languages is \u201chappening in a near glacial speed and shows with painful clarity the challenges involved.\u201d <\/p>\n<p>The Biden administration has been pushing developers and big tech companies to embrace memory safe languages as a tool to eliminate entire classes of bugs. According to Stenberg, 41% of security vulnerabilities found in curl would not have occurred if a memory-safe language had been used.<\/p>\n<p>Others argued that the hype leading up to Wednesday\u2019s release obscured what should be a routine process. <\/p>\n<p>\u201cVulnerabilities are going to come out. There will be a new one next week. There is going to be a new one next year,\u201d said Omkhar Arasaratnam, general manager of Linux Foundation\u2019s Open Source Security Foundation. \u201cWhat I would recommend to all organizations is get practiced in being able to receive, triage and take action against the vulnerabilities as they come out. This shouldn\u2019t be a surprise. It shouldn\u2019t be manic and hectic every time a vulnerability comes out.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Arasaratnam said that it\u2019s not often a vulnerability on such a <a href=\"https:\/\/cyberscoop.com\/largest-ddos-cloudflare-amazon-google\/\">vital software gets a warning<\/a>, and noted that companies should have a solid software bill of materials so that when there is an expected bug, it can be quickly patched with some precautionary research.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/curl-vulnerability-open-source\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Long-awaited curl vulnerability flops | CyberScoop Skip to main content<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1072,1073,1074,288,703],"tags":[1075,1076,1077,294,705],"class_list":["post-1869","post","type-post","status-publish","format-standard","hentry","category-curl","category-open-source","category-sans-institute","category-threats","category-vulnerability-disclosure","tag-curl","tag-open-source","tag-sans-institute","tag-threats","tag-vulnerability-disclosure"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/curl\/\" rel=\"category tag\">curl<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sans-institute\/\" rel=\"category tag\">SANS Institute<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-disclosure\/\" rel=\"category tag\">vulnerability disclosure<\/a>","tag_info":"vulnerability disclosure","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1869"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1869\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}