CVE-2023-38545
Published: 18 October 2023
Summary
CVE-2023-38545 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Netapp Active Iq Unified Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
This flaw is a heap-based buffer overflow in curl that occurs during the SOCKS5 proxy handshake. When curl is instructed to pass a hostname longer than 255 bytes to the proxy for remote resolution, a logic error tied to a slow handshake can cause the oversized hostname from the supplied URL to be copied into a heap buffer instead of the intended resolved address.
An unauthenticated remote attacker can trigger the overflow simply by causing curl to perform a SOCKS5 connection to a URL containing an excessively long hostname. Successful exploitation can result in arbitrary code execution, information disclosure, or denial of service, consistent with the CVSS 9.8 rating and CWE-787 classification.
Public advisories and patch information are available at the referenced URLs, including the official curl project entry at https://curl.se/docs/CVE-2023-38545.html and related vendor disclosures.
The associated EPSS score has remained in the 0.26–0.28 range with no pronounced post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42344
Vulnerability details
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done…
more
by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.