Views:

Additional Technical Background


CVE-2023-38545:  this is a heap-based buffer overflow flow that affects both libcurl and the curl command-line tool itself (versions 7.69.0 to 8.3.0) and could lead to data corruption or in the worst case, arbitrary code execution - which is why it was assigned a high severity. 

However, one item of note, is that the vulnerability cannot be exploited in its default configuration:  specifically, the configurations that are vulnerable are those using a SOCKS5 proxy, which is not an overly common implementation.

The options that cause SOCKS5 with remote hostname to be used in libcurl:

  • CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME, or:
  • CURLOPT_PROXY or CURLOPT_PRE_PROXY set to use the scheme socks5h://
  • One of the proxy environment variables can be set to use the socks5h:// scheme. For example http_proxyHTTPS_PROXY or ALL_PROXY.

The options that cause SOCKS5 with remote hostname to be used in the curl tool:

  • --socks5-hostname, or:
  • --proxy or --preproxy set to use the scheme socks5h://
  • Using environment variables as described in the libcurl section.

In addition to the conditions above, the curl command-line tool (version 8.x only) is vulnerable if the flag --limit-rate is set with a value smaller than 65541.

CVE-2023-38546:  this vulnerability is a cookie injection flaw that only affects libcurl versions 7.9.1 to 8.3.0 (not the curl CLI tool) and has been assigned a low severity.  According to the curl project maintainers, the low severity was assigned because there are a series of specific conditions that must be met to exploit, and even then the risk of cookie injection to cause harm is relatively lower compared to other vulnerabilities. 

At the present time, there are no known exploits in the wild against either of these vulnerabilities, and customers who utilize this tool in their environments are encourage to update if they are able to.  

 

Trend Micro Protection and Detection Against Exploitation


First and foremost, it is always recommended that users apply vendor-specific patches when they are available, and in this case, if your specific implementation allows updating of this library.  In this case, curl 8.4.0 would be the latest version that resolves these issues.

At the moment, Trend Micro is actively looking to see if there are any relevant detection/protection that can be proactively applied against any future potential exploits.  If/when these are released, this article will be updated.

 

Trend Micro Products/Services Potentially Affected


Trend Micro is currently doing a system-wide inventory/investigation to see if any Trend Micro products and/or services may be affected by these vulnerabilities.

At this time, we have not seen any instances or scenarios that can lead to successful exploitation of either of the vulnerabilities in our products or services.

Below are the confirmed list of unaffected products.  Any additional information will be added here as necessary.
 

 
Important Note: Several 3rd party vulnerability scanners may flag some of the following products as "affected" by one of these vulnerabilities. It is important to note that many, if not all, of these vulnerability scanners only search for library or component versions and DO NOT or CANNOT take into consideration the actual configuration, context and/or scenarios that make a certain component "vulnerable" to a particular exploit.

In our analysis, Trend Micro takes into account the entire scenario necessary to exploit a particular vulnerability in making a determination of whether or not a particular product may be vulnerable to a specific vulnerability.  In this case, any flagging by a 3rd party vulnerability scanner on one of the mentioned products that are marked "Not Affected" should be treated as a False Positive.
 

 

Trend Micro Product/Service Name Status
Apex Central™ Not Affected
Apex One™ Not Affected
Apex One™ as a Service Not Affected
Cloud App Security Not Affected
Cloud Edge Not Affected
Cloud One - Network Security Not Affected
Cloud One - Endpoint and Workload Security Not Affected
Deep Discovery Analyzer Affected (CVE-2023-38545 only)
 Updated Module  
Deep Discovery Director Not Affected
Deep Discovery Email Inspector Not Affected
Deep Discovery Inspector Not Affected
Deep Discovery Web Inspector Not Affected
Deep Security (Agent and DSM) Not Affected
HouseCall Not Affected
ID Security Not Affected
IM Security Not Affected
InterScan Messaging Security Virutal Applicance (IMSVA) Not Affected
InterScan Web Security Virtual Appliance (IWSA) Not Affected
InterScan Web Security Suite (IWSS) Not Affected
PortalProtect Not Affected
Safe Lock Not Affected
Scanmail for Domino (Windows/Linux) Affected (CVE-2023-38545 only)
Please contact support for updated module
Scanmail for Domino (AIX) Not Affected
Scanmail For Exchange Not Affected
Security for NAS Not Affected
ServerProtect for Linux Not Affected
ServerProtect for Windows Not Affected
ServerProtect for NetApp

Affected (CVE-2023-38545, when SOCKS5 protocol is used)

Please contact support for updated module
ServerProtect for Storage Not Affected
ServerProtect for EMC

Affected (CVE-2023-38545, when SOCKS5 protocol is used)

Please contact support for updated module
TippingPoint SMS Not Affected
TippingPoint TPS Not Affected
TippingPoint TX-Series Not Affected
TippingPoint Virtual SMS Not Affected
TippingPoint Virtual TPS Not Affected
Trend Micro Home Network Security Not Affected
TMUSB Not Affected
Trend Micro Email Security Not Affected
Trend Micro Mobile Security Not Affected
Trend Micro Portable Security Not Affected
Trend Micro Web Security Not Affected
Vision One ™ - including basecamp endpoint Not Affected
Worry-Free Business Security Services Not Affected
Worry-Free Business Security Standard Not Affected

 

 

 


 

 

 

 

Keywords: (CVE-2023-38545 & CVE-2023-38546)