CVE-2023-28322
📋 TL;DR
This vulnerability in curl versions before 8.1.0 causes information disclosure when reusing a handle between PUT and POST requests. It affects applications using libcurl for HTTP(S) transfers where the same handle is reused with different request methods, potentially causing the wrong data to be sent or memory corruption.
💻 Affected Systems
- curl
- libcurl
- any software using libcurl
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Fedora by Fedoraproject
Fedora by Fedoraproject
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Application sends sensitive data to unintended recipients or crashes due to memory corruption (use-after-free), potentially leading to data exposure or denial of service.
Likely Case
Application sends incorrect data during POST requests after previously using the same handle for PUT requests, causing functional errors or data integrity issues.
If Mitigated
With proper handle management or updated curl, no impact occurs as the logic flaw is corrected.
🎯 Exploit Status
Exploitation requires control over both the application's curl usage patterns and the data being transferred. No public exploits have been documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 8.1.0 and later
Vendor Advisory: https://curl.se/docs/CVE-2023-28322.html
Restart Required: No
Instructions:
1. Update curl to version 8.1.0 or later. 2. For Linux systems: Use package manager (apt-get upgrade curl, yum update curl, etc.). 3. For compiled applications: Recompile against libcurl >= 8.1.0. 4. Verify update with curl --version.
🔧 Temporary Workarounds
Avoid handle reuse between PUT and POST
allDo not reuse the same curl handle when switching from PUT to POST requests. Create separate handles for different request methods.
Reset handle properly between requests
allUse curl_easy_reset() or create new handles instead of reusing existing ones when changing request methods.
🧯 If You Can't Patch
- Implement strict handle management: Never reuse handles between PUT and POST operations.
- Add input validation and monitoring for unexpected data in POST requests to detect potential exploitation.
🔍 How to Verify
Check if Vulnerable:
Check curl version with 'curl --version' or 'curl -V'. If version is earlier than 8.1.0, the system is vulnerable.Check Version:
curl --version | head -1Verify Fix Applied:
After updating, run 'curl --version' and confirm version is 8.1.0 or higher. Test application functionality with handle reuse scenarios.📡 Detection & Monitoring
Log Indicators:
- Unexpected data in POST requests after PUT operations
- Application errors related to curl handle reuse
- Memory corruption errors in applications using libcurl
Network Indicators:
- POST requests containing data from previous PUT operations
- Inconsistent data patterns in HTTP(S) transfers
SIEM Query:
source="application_logs" AND ("curl" OR "libcurl") AND ("POST" NEAR "PUT") AND ("error" OR "unexpected" OR "corruption")🔗 References
- http://seclists.org/fulldisclosure/2023/Jul/47
- http://seclists.org/fulldisclosure/2023/Jul/48
- http://seclists.org/fulldisclosure/2023/Jul/52
- https://hackerone.com/reports/1954658
- https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/
- https://security.gentoo.org/glsa/202310-12
- https://security.netapp.com/advisory/ntap-20230609-0009/
- https://support.apple.com/kb/HT213843
- https://support.apple.com/kb/HT213844
- https://support.apple.com/kb/HT213845
- http://seclists.org/fulldisclosure/2023/Jul/47
- http://seclists.org/fulldisclosure/2023/Jul/48
- http://seclists.org/fulldisclosure/2023/Jul/52
- https://hackerone.com/reports/1954658
- https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/
- https://security.gentoo.org/glsa/202310-12
- https://security.netapp.com/advisory/ntap-20230609-0009/
- https://support.apple.com/kb/HT213843
- https://support.apple.com/kb/HT213844
- https://support.apple.com/kb/HT213845
