CVE-2023-27534
📋 TL;DR
A path traversal vulnerability in curl's SFTP implementation allows attackers to bypass path filtering by using specially crafted paths containing tilde characters. This affects curl versions before 8.0.0 when using SFTP functionality, potentially enabling arbitrary code execution or unauthorized file access.
💻 Affected Systems
- curl
- libcurl
- applications using libcurl
📦 What is this software?
Brocade Fabric Operating System Firmware by Broadcom
View all CVEs affecting Brocade Fabric Operating System Firmware →
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on systems using vulnerable curl with SFTP, potentially leading to complete system compromise.
Likely Case
Unauthorized file access or path traversal allowing attackers to read/write files outside intended directories.
If Mitigated
Limited impact if SFTP functionality is disabled or proper input validation is implemented.
🎯 Exploit Status
Exploitation requires SFTP server access and knowledge of user context; proof-of-concept available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 8.0.0 and later
Vendor Advisory: https://curl.se/docs/CVE-2023-27534.html
Restart Required: No
Instructions:
1. Update curl to version 8.0.0 or later. 2. For Linux: Use package manager (apt-get upgrade curl, yum update curl, etc.). 3. For Windows: Download latest version from curl.se. 4. Recompile applications using libcurl if statically linked.
🔧 Temporary Workarounds
Disable SFTP protocol
allPrevent curl from using SFTP protocol entirely
curl --proto =http,https,ftp,ftps
Input validation wrapper
linuxImplement script wrapper to validate paths before passing to curl
#!/bin/bash
# Validate path doesn't contain problematic patterns
if [[ "$1" =~ ~[0-9] ]]; then
echo "Invalid path pattern"
exit 1
fi
curl "$@"
🧯 If You Can't Patch
- Implement network segmentation to restrict SFTP traffic to trusted sources only
- Deploy web application firewall (WAF) or reverse proxy with path traversal protection
🔍 How to Verify
Check if Vulnerable:
Run: curl --version | head -1 | grep -E '7\.|6\.|5\.|4\.|3\.|2\.|1\.|0\.'Check Version:
curl --version | head -1Verify Fix Applied:
Run: curl --version | head -1 | grep -E '8\.|9\.'📡 Detection & Monitoring
Log Indicators:
- SFTP connections with paths containing ~ followed by numbers
- Unexpected file access patterns via curl/SFTP
Network Indicators:
- SFTP traffic to/from systems running curl < 8.0.0
- Unusual path patterns in SFTP protocol
SIEM Query:
source="*curl*" AND (path="~*" OR path="*/~*") AND protocol="sftp"🔗 References
- https://hackerone.com/reports/1892351
- https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/
- https://security.gentoo.org/glsa/202310-12
- https://security.netapp.com/advisory/ntap-20230420-0012/
- https://hackerone.com/reports/1892351
- https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/
- https://security.gentoo.org/glsa/202310-12
- https://security.netapp.com/advisory/ntap-20230420-0012/
