When a client URL is given a hostname to pass along to a SOCKS5 proxy that is greater than 255 bytes in length, it will switch to local-name resolution to resolve the address before passing it on to the proxy. However, due to a bug introduced in 2020, this local-name resolution could fail due to a slow SOCKS5 handshake. This would cause the curl (a command line tool widely used for data transfer via URLs) to pass on the hostname greater than 255 bytes in length into the target buffer, leading to a heap overflow.
To limit exploitation, CVE-2023-38545 — a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl — was recently published.
Impact
Affected versions: libcurl 7.69.0 to (and including) 8.3.0. Not affected versions: libcurl below 7.69.0 and above (and including) 8.4.0.
While an affected implementation has not been exploited in the wild, the advisory for CVE-2023-38545 gives an example exploitation scenario of a malicious HTTPS server redirecting to a specially crafted URL. While it might seem that an attacker would need to “influence” the slowness of the SOCKS5 handshake, the advisory states that server latency is likely “slow enough to trigger this bug.”
DXC perspective
Users should also run vulnerability scans to identify impacted systems, then update impacted systems to curl version 8.4.0. Starting with this version, the curl no longer switches to local-resolve mode if the name is too long; instead, it rightfully returns an error.
We also recommend that users avoid using CURLPROXY_SOCKS5_HOSTNAME proxies with curl. We further recommend that users stop setting proxy environment variables to socks5h://.
