SUMMARY
A security vulnerability has been identified in the commonly used network utility library, libcurl.
Foundry engineers have audited our use of the library. With default OS environment settings, we do not believe our software will be affected.
Some configuration options offered by libcurl, when enabled by end users, may increase the risk this vulnerability poses. This article provides the full technical details and recommendations regarding this security vulnerability.
MORE INFORMATION
The vulnerability CVE-2023-38545 is exploited through a bug in the SOCKS5 proxy support offered by libcurl. The vulnerability, if successfully exploited, could allow an attacker to remotely execute code - see here for full details. By default, Foundry products do not make use of this library feature but it can be enabled if certain environment variables are present in the user’s environment. You may wish to take remedial action to lower the risk posed by this vulnerability if your network or environment:
- Makes use of a SOCKS proxy server
- libcurl environment variables have been configured that cause libcurl traffic to be routed to the SOCKS proxy server. Specifically,
socks5h://is set as the scheme in environment variables such as http_proxy (lowercase), HTTPS_PROXY or ALL_PROXY - URLs and the content retrieved via libcurl are not under the direct control of your network administrator
To disable libcurl proxy behaviour the environment variable NO_PROXY can be set. Depending on your existing configuration, you may be able to fully disable proxy support by adding the following to your shell environment for macOS or Linux users:
export NO_PROXY=*
For Windows users:
set NO_PROXY=*
If the FN_CURLOPT_PROXY had been previously set to use socks5h:// this should be removed from your environment.
If it is not possible to disable proxy support in your environment, consider increasing the monitoring and filtering of traffic flowing through the proxy server. Consult the documentation of your proxy server for how to do this. Or, where possible, consider routing traffic through an alternative proxy server such as HTTP/HTTPS proxy until a fix for the vulnerability has been made widely available.
FURTHER READING
Q100015: How to set environment variables
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
https://curl.se/docs/CVE-2023-38545.html
https://hackerone.com/reports/2187833
https://cwe.mitre.org/data/definitions/122.html
FURTHER HELP
We take customer security very seriously and will update this article if any further information comes to light.
If you have any questions or concerns, please contact us by opening a Support request following the guidance in this article: Q100064: How to raise a support ticket
We're sorry to hear that
Please tell us why