Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

CVE-2023-38545, CVE-2023-38546: Frequently Asked Questions for New Vulnerabilities in curl

$
0
0
CVE-2023-38545, CVE-2023-38546: Frequently Asked Questions for New Vulnerabilities in curl

Frequently asked questions relating to two vulnerabilities patched in curl version 8.4.0

Background

On October 3, Daniel Stenberg, an open-source developer and maintainer of curl, took to X (formerly Twitter) to announce that a new high severity CVE would be fixed in curl 8.4.0. Daniel noted that the release would be ahead of schedule and released on October 11, indicating in a reply to the twitter thread that this is “the worst security problem found in curl in a long time.”

FAQ

What is curl and libcurl?

Client for URL (or “curl”) is a command line tool (CLI) used to transfer files to and from servers. curl can make use of a variety of protocols and is backed by the libcurl library which provides multiple APIs and support for a multitude of network bindings. curl is widely used by system administrators and developers.

What is the difference between curl and libcurl?

libcurl is a development library (shortened to “lib”) that allows other programs to use the curl tool, where as “curl” is the cli tool or frontend that is ran from a script or a shell prompt. Stenberg’s post offers a great summary on the differences between these two.

What vulnerabilities were fixed in curl 8.4.0?

As of October 4, no details are currently available for the vulnerabilities that have been fixed in curl 8.4.0 and we do not anticipate those details will be available until October 11. However a discussion post on the GitHub repository for the curl project does provide us with some basic information as shown in the table below:

CVEDescriptionSeverityAffects
CVE-2023-38545UnknownHighlibcurl and curl
CVE-2023-38546UnknownLowlibcurl

When will patches be available?

According to the GitHub discussion post and the Twitter announcement, curl version 8.4.0 will be released on October 11 to address both vulnerabilities.

Have either of these CVE’s been exploited in the wild?

As of October 4, we do not have any information as to whether or not these vulnerabilities have been exploited in the wild.

How widely used is curl?

curl is one of the most widely used open source projects, as it is in use in a variety of applications and devices worldwide. It is deployed with Windows from Windows 10 and later as well as many Linux distributions.

Identifying affected systems

Once curl 8.4.0 has been released on October 11, plugins will be developed and released to address both CVEs. In the meantime, we recommend visiting the Plugins Pipeline for information on upcoming plugin releases.

In the meantime, customers can utilize Plugin ID 171860 to identify curl installations on Windows hosts.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.


Viewing all articles
Browse latest Browse all 1935

Trending Articles