# [HIGH] High severity vulnerability found in libcurl and curl (CVE-2023-38545) **Source:** Snyk **Published:** 2023-10-04 **Article:** https://snyk.io/blog/curl-high-severity-vulnerability-oct-2023/ ## Threat Profile Snyk Blog In this article Written by Hadas Bloom Tal Dromi Micah Silverman October 4, 2023 0 mins read Update: October 11, 2023 Today, at 06:00 UTC, the maintainers of cURL released the 8.4.0 versions of curl and libcurl to mitigate a High severity, heap-based buffer overflow ( proof-of-concept and the initial notification ) that could impact systems with a specific configuration and preconditions. This zero-day vulnerability is present in packages from several managed and unmanaged open sour… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2023-38545` - **CVE:** `CVE-2023-38546` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1203** — Exploitation for Client Execution ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Curl invoked with SOCKS5-hostname resolution (CVE-2023-38545 exploit precondition) `UC_1365_2` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="curl.exe" OR Processes.process_name="curl") AND (Processes.process="*--socks5-hostname*" OR Processes.process="*socks5h://*" OR Processes.process="*-x socks5h*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_hash | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "curl.exe" or FileName =~ "curl" | where ProcessCommandLine has_any ("--socks5-hostname", "socks5h://", "-x socks5h", "--proxy socks5h") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Vulnerable libcurl/curl version present on host (CVE-2023-38545) `UC_1365_3` · phase: **recon** · confidence: **High** · AI-generated for this article **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2023-38545" | join kind=leftouter (DeviceTvmSoftwareInventory | project DeviceId, SoftwareName, SoftwareVersion, SoftwareVendor) on DeviceId, SoftwareName | project Timestamp, DeviceId, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate | order by Timestamp desc ``` ### Article-specific behavioural hunt — High severity vulnerability found in libcurl and curl (CVE-2023-38545) `UC_1365_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — High severity vulnerability found in libcurl and curl (CVE-2023-38545) ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/usr/bin/curl*" OR Filesystem.file_path="*/usr/local/bin/curl*" OR Filesystem.file_path="*/opt/homebrew/opt/curl*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — High severity vulnerability found in libcurl and curl (CVE-2023-38545) // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/usr/bin/curl", "/usr/local/bin/curl", "/opt/homebrew/opt/curl")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2023-38545`, `CVE-2023-38546` ## Why this matters Severity classified as **HIGH** based on: CVE present, 4 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.