High severity curl vulnerability: prepare with Microsoft Defender for Cloud

On October 3rd, high severity vulnerabilities in curl were preannounced. The curl project has announced that curl8.4.0 has now been released, earlier than expected. Two vulnerabilities have now been disclosed: high-severity CVE-2023-38545 and low-severity CVE-2023-38546.   

  

curl is a popular command-line tool and library (libcurl) used to transfer data across network protocols using URL syntax. The library is one of the most widely used open-source projects across most operating systems, including Windows and Linux, and is one of the most popular OSS packages present in clients, embedded systems, and cloud-native applications/containers.   

  

CVE-2023-38545 refers to a heap overflow vulnerability associated with the SOCKS5 proxy handshake in both libcurl and curl. When curl receives a hostname exceeding 255 bytes to relay to a SOCKS5 proxy, it defaults to local name resolution to determine the address before transferring it to the SOCKS5 proxy. A 2020 bug makes this local resolution potentially fail if the SOCKS5 handshake is delayed. As a result, curl might forward the oversized hostname to the intended buffer, triggering a heap overflow. 

 

CVE-2023-38546 pertains to a cookie injection vulnerability in curl_easy_duphandle(), a libcurl function responsible for duplicating easy handles. If cookies are active when an easy handle is duplicated, the resulting duplicate doesn't copy the actual cookies. Instead, it sets the filename to 'none.' As a consequence, when this duplicated easy handle is later utilized and no source is defined for the cookies, libcurl tries to load them from a file titled 'none' located on the storage.  

  

What is the impact and how do I identify risk? 

As a widely used OSS component in cloud-native applications, curl is very likely present in many resources, including Virtual Machines and Container Images. We strongly recommend that you collect an inventory of affected resources to ease the remediation process once the update is released. 

  

Microsoft Defender for Cloud has multiple ways to quickly determine where in your environment you are vulnerable that are covered in this blog. 

 

Method 1: Hunt for all impacted resources using the cloud security explorer

Note: To hunt for impacted resources, first enable Defender CSPM in Microsoft Defender for Cloud and ensure that the agentless scanning, container registry scanning, and agentless discovery for Kubernetes are enabled. For more details on enabling these services, click here for Defender CSPM. 

 

To query the cloud security graph for affected servers: 

1. Sign in to the Azure portal.
2. Use the following links to pre-populate Cloud Security Explorer queries:
   • Virtual machines with curl vulnerabilities 
   • Internet exposed virtual machines with curl vulnerabilities  
   • Internet exposed virtual machines with curl vulnerabilities and permissions to cloud resources  
   • Internet exposed virtual machines with curl vulnerabilities and secrets  

 

Figure 1. Cloud security explorer query for Virtual Machines containing vulnerable curl packages.

 

To query the cloud security graph for affected container images: 

1. Sign in to the Azure portal. 
2. Use the following links to pre-populate Cloud Security Explorer queries: 
   • Container images with curl vulnerabilities  
   • Running containers with curl vulnerabilities  
   • Privileged containers with curl vulnerabilities  
   • Running containers with curl vulnerabilities on internet exposed pods    

Learn more about cloud security explorer and other Defender CSPM capabilities. 

 

Method 2: Identify VMs where the application installed contains curl using Inventory

Note: To hunt for impacted resources, first enable Defender CSPM or Defender for Servers P1 or P2 in Microsoft Defender for Cloud and ensure that agentless scanning is enabled or that vulnerability scanning with Microsoft Defender Vulnerability Management is enabled. For more details on enabling these services, click here for Defender CSPM and here for Defender for Servers. 

 

1. Sign in to the Azure portal.
2. Filter for Installed applications contains curl. 
3. Sort based on the number of unhealthy recommendations.
4. Remediate the unhealthy recommendations to ensure that your attack surface is reduced.

 

Figure 2. Filter Inventory for security findings with CVE-2023-38545.

 

Method 3: Identify resources containing curl using Azure Resource Graph

1. Follow the above steps. Within the Inventory blade select Open Query.  
2. Run the sample queries below. 

 

Figure 3. Open Azure Resource Graph query from Inventory.

 

 

Sample query for retrieving virtual machines running curl: 

securityresources 
| where type == "microsoft.security/softwareinventories" 
| where name has "curl" 
| extend deviceId = tostring(properties.deviceId), 
subscriptionId = tostring(properties.azureSubscriptionId), 
osPlatform = tostring(properties.osPlatform),
version = tostring(properties.version),
softwareName = tostring(properties.softwareName), 
azureVMId = tostring(properties.azureVmId) 
| where not(version has ("8.4"))
| extend vmId = iff(azureVMId has "securityconnectors", split(azureVMId, '/')[10], split(azureVMId, '/')[8]) 
| extend environment = iff(id has "Microsoft.HybridCompute", "arc", iff(id has "microsoft.security/securityconnectors", "multicloud", "azure")) 
| project id, subscriptionId, vmId, softwareName, version, osPlatform, environment

Sample query for retrieving container images with a curl vulnerability:

securityresources  
| where type =~ "microsoft.security/assessments/subassessments" 
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id) 
| extend resourceId = tostring(properties.resourceDetails.id) 
| extend subAssessmentName=tostring(properties.displayName), 
    subAssessmentDescription=tostring(properties.description), 
    subAssessmentRemediation=tostring(properties.remediation), 
    severity=tostring(properties.status.severity), 
    status=tostring(properties.status.code), 
    cause=tostring(properties.status.cause), 
    statusDescription=tostring(properties.status.description), 
    additionalData=tostring(properties.additionalData) 
| where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5" 
| where status == "Unhealthy" 
| where subAssessmentId in ("CVE-2023-38545","CVE-2023-38546")
| extend repositoryName = tostring(properties.additionalData.artifactDetails.repositoryName), 
registry = tostring(properties.additionalData.artifactDetails.registryHost) 
| distinct repositoryName, registry 

 

Identify other curl usage patterns 

Depending on your use case, it might be worth monitoring certain curl usage patterns. For example, you might have inadvertently hardcoded a curl release for download in a Dockerfile or a CI workflow definition. 

 

For GitHub Repos, you can leverage GitHub Code Search with a query like: (path:.github AND path:.yml) OR (path:Dockerfile) AND (curl.se/download OR github.com/curl/curl/releases) AND (org:<your org>).

 

You might encounter a hardcoded release number in this URL, or a parameter pointing to a hardcoded value. The screenshot below shows both patterns: 

 

Figure 4. Hardcoded curl release

  

 

Authors

• Lara Goldstein, Product Manager 2
• Charles Oxyer, Product Manager
• Jose Miguel Parrella, Principal Architect