Effect of CVE-2023-38545 and CVE-2023-38546 on Cloud One - Workload Security Agents and Deep Security Agents

Product / Version includes:

Deep Security All , Cloud One - Endpoint and Workload Security All

Last updated: 2025/05/08

Solution ID: KA-0015613

Category: Troubleshoot

Summary

A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the cURL package. If cURL is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then cURL switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs cURL to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.

This flaw does not affect the versions of cURL as shipped with Red Hat Enterprise Linux 6, 7, and 8.

An overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE, or set it smaller than approximately 65kB. Since the cURL tool sets CURLOPT_BUFFERSIZE to 100kB by default, it is not vulnerable unless rate limiting is set by the user to a size smaller than 65kB.

To avoid this issue, it is recommended NOT to use `CURLPROXY_SOCKS5_HOSTNAME` proxies with cURL. Also, do not set a proxy environment variable to socks5h://

In summary, an overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE, or set it smaller than approximately 65kB. Since the cURL tool sets CURLOPT_BUFFERSIZE to 100kB by default, it is not vulnerable unless rate limiting was set by the user to a size smaller than 65KB.

The vulnerability is only triggered in very specific conditions when all four conditions below are met:

The request is made via socks5h.
The state machine's negotiation buffer is smaller than ~65k.
The SOCKS server's "hello" reply is delayed.
The attacker sets a final destination hostname larger than the negotiation buffer.

This makes the said vulnerability very difficult to exploit.

The Agent package contains its own cURL shared library file and does not use system one. cURL is used to check the connection between Deep Security Agent and Deep Security Manager as well as download security updates from the Trend Micro ActiveUpdate server. Since the vulnerability has no impact on the product, upgrading the cURL version is not in the roadmap.

It is important to note that even though a penetration scanner could flag the cURL-related CVEs, it doesn't mean that the Deep Security Agent is vulnerable to the said CVE.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Effect of CVE-2023-38545 and CVE-2023-38546 on Cloud One - Workload Security Agents and Deep Security Agents

Effect of CVE-2023-38545 and CVE-2023-38546 on Cloud One - Workload Security Agents and Deep Security Agents

Product / Version includes:

Summary