On October 11, 2023, the maintainers of curl released a patch (version 8.4.0) to address a pair of security vulnerabilities. The patch is in response to the CVEs that were disclosed on Wednesday, October, 4, 2023. This document provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.

Description

Curl is a ubiquitous tool for transferring data via command line and scripts. Many common applications use curl and its close relative libcurl, and as a result these vulnerabilities could have widespread implications for individuals and organizations of all sizes and industries across the world.

Severity and Impact

CVE-2023-38545 has been designated as a High severity vulnerability, and CVE-2023-38546 has been given a Low severity, which are exploitable if the libraries are configured to use the “socks5h://” scheme or the “--socks5-hostname” flag. If these vulnerabilities are exploited, they could lead to remote code execution (RCE) or denial of service (DoS) attacks.

The update contains a fix for a security issue that affects curl and libcurl versions 7.69.0 through 8.3.0.

It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact to systems and remediate accordingly.

Step 1: Determine if you are at risk.

If you or a third party are using curl or libcurl, the system may be vulnerable to these CVEs.
To assess whether your third parties are vulnerable, customers can access the Curl & Libcurl Critical Vulnerability Questionnaire in the Whistic Platform under our Questionnaire Standards Library by clicking here.

Step 2: Immediately patch systems that have been impacted.

Make sure your team is aware of the vulnerability and the subsequent patch release on October 11, 2023.
Determine which applications and infrastructure are using curl or libcurl 8.3.0 or lower.
Update any vulnerable curl or libcurl installations.

Does this affect Whistic?

As a result of our investigation, we have determined that these vulnerabilities (CVE-2023-38545 or CVE-2023-38546) do not directly impact Whistic. While Whistic uses curl and libcurl in conjunction with many other tools, the required configurations that enable these vulnerabilities are not used, which means we were not affected by these vulnerabilities, nor is our use of these libraries affected. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.