How to Find Vulnerable Versions of Curl and Update it

The package repositories of curl have disclosed two vulnerabilities in libcurl, which affect versions 7.69 up to version 8.3.0

How to Manually Update Curl to stable and secure 8.4.0 on Ubuntu/Debian

use the command to find the related curl versions, including their dependencies.

find / -name curl 2>/dev/null -exec echo "Found: {}" \; -exec {} --version \;        

The above screenshot displays the output for the command.

I tried updating Curl and others using the apt update command. However, it only updated to 8.3.0 (which is also a vulnerable version of curl). So, a manual update to 8.4.0 is necessary.

From 8.3.0 to 8.4.0

sudo apt install -y libssl-dev autoconf libtool make        

wget https://curl.se/download/curl-8.4.0.tar.gz

tar -xvf curl-8.4.0.tar.gz         

cd curl-8.4.0        

./buildconf        

./configure --with-ssl        

make        

make install        

mv /curl /usr/bin/curl.bak
cp /usr/bin/curl        

Final Stable version 8.4.0 on Kali Linux.

curl --version

What is Curl?

Curl is used in command lines or scripts to transfer data. It is also used in cars, television sets, routers, printers, audio equipment, mobile phones, and tablets. It is the internet transfer backbone for millions of software applications, affecting billions of humans daily.

A foundational networking tool for Unix and Linux systems, cURL is used in command lines and scripts to transfer data. Its prevalence is because it is used as both a standalone utility (curl) and a library in many different applications (libcurl). The libcurl library, which allows developers to access curl APIs from their own code, can be presented directly into the code, utilised as a dependency, utilised as part of an operating system bundle, enclosed as part of a Docker container, or installed on a Kubernetes cluster node.

Curl Vulnerabilities with CVE

Dubbed CVE-2023-38545, the vulnerability was a heap-based buffer overflow anomaly creeping in the glooms of the SOCKS5 proxy protocol utilized by Cur. This weakness was a ticking time bomb, potentially corrupting data and, in threatening circumstances, executing arbitrary code, guiding in a realm of cyber clutter.

The tale began on an apparently ordinary day, 4th October 2023, when one of Curl’s essence maintainers, Daniel Stenberg, unveiled a plan to release a fortified version of Curl, 8.4.0, on 11th October 2023. This version was the knight in shining armour, destined to subjugate the menacing CVE-2023-38545 and another lesser adversary, CVE-2023-38546.

The shady CVE-2023-38545 predominantly targeted both the Curl command-line tool and libcurl, impacting versions from 7.69.0 up to and including 8.3.0. However, the threatening bug could not unleash its wrath under default conditions. Its potencies could only be mustered if Curl was manoeuvred in typical ways, such as by setting CURLOPT_PROXYTYPE to CURLPROXY_SOCKS5_HOSTNAME or exploiting proxy settings to use the scheme socks5h://. The Curl CLI tool was only exposed if run with certain flags or environment variables put to use the malicious socks5h:// scheme.

Note: Once you update to version 8.4.0, this vulnerability will be mitigated.