=====================================================================

                                CERT-Renater

                      Note d'Information No. 2023/VULN316

_____________________________________________________________________

DATE                : 13/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running libcurl versions prior to 8.3.0.

=====================================================================
https://curl.se/docs/CVE-2023-38039.html
_____________________________________________________________________

CVE-2023-38039
HTTP headers eat all memory

Project curl Security Advisory, September 13 2023

VULNERABILITY

When curl retrieves an HTTP response, it stores the incoming headers
so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers
it would accept in a response, allowing a malicious server to stream
an endless series of headers and eventually cause curl to run out of
heap memory.
INFO

Since libcurl allocates memory on the heap to store each header
individually, the exact number of headers required for this to become
a problem will vary greatly from case to case. As the headers typically
need to be transfered over a network to curl, the available bandwidth
will also affect how likely or how fast this problem can be triggered.

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2023-38039 to this issue.

CWE-770: Allocation of Resources Without Limits or Throttling

Severity: Medium


AFFECTED VERSIONS

     Affected versions: libcurl 7.84.0 to and including 8.2.1
     Not affected versions: libcurl < 7.84.0 and >= 8.3.0
     Introduced-in: https://github.com/curl/curl/commit/4d94fac9f0d1dd

libcurl is used by many applications, but not always advertised
as such!

This flaw existed already in 7.83.0 source code but in that
release the feature was still marked EXPERIMENTAL and was not
enabled in normal builds. The label was removed in 7.84.0 why
we consider that as the first vulnerable version.


SOLUTION

Starting in curl 8.3.0, curl returns an error if the total size
of the headers in a single HTTP response exceeds 300 KB.

     Fixed-in: https://github.com/curl/curl/commit/3ee79c1674fd6f9


RECOMMENDATIONS

A - Upgrade curl to version 8.3.0

B - Apply the patch to your local version

C - Monitor response headers and return error if too much


TIMELINE

This issue was reported to the curl project on July 17, 2023. We
contacted distros@openwall on September 6, 2023.

This report arrived before the 8.2.0 and 8.2.1 releases shipped (on
July 19 and July 26), but we did not manage to work it through
and fix it in time for those releases.


libcurl 8.3.0 was released on September 13 2023, coordinated with
the publication of this advisory.


CREDITS

     Reported-by: selmelc on hackerone
     Patched-by: Daniel Stenberg


Thanks a lot!


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================