CVE-2023-23916 - Chained HTTP Compression Vulnerability in curl < v7.88.

The CVE-2023-23916 vulnerability concerns a resource allocation issue – without limits or throttling – in curl versions prior to v7.88.. The problem arises from the implementation of chained HTTP compression algorithms. This vulnerability can lead to immense resource consumption and potential out-of-memory errors when exploited by a malicious server.

Details

The chained HTTP compression algorithms used in curl enable server responses to be compressed multiple times, potentially utilizing different algorithms. However, a cap was placed on the number of acceptable "links" in the decompression chain, limiting the amount of compression that could be applied to a server response. Unfortunately, this cap was implemented on a per-header basis, which means that a malicious server could exploit this vulnerability by using multiple headers and creating a virtually unlimited number of compression steps.

Exploit

The exploitation of this vulnerability could lead to what is known as a "malloc bomb", resulting in curl attempting to allocate significant amounts of heap memory – potentially consuming all available memory resources – or returning out-of-memory errors. In either scenario, the result is a disrupted service and potentially compromised system.

Code Snippet

The following code snippets demonstrate the problematic implementation of capping on a per-header basis:

// Incorrect implementation - per-header cap
int num_links = ;
for_each_header(header) {
  if (num_links >= MAX_LINKS) {
    return ERROR;
  }
  if (is_compression_algorithm(header)) {
    num_links++;
  }
}

// Correct implementation - global cap
int num_links = ;
for_each_header(header) {
  if (is_compression_algorithm(header)) {
    num_links++;
    if (num_links >= MAX_LINKS) {
      return ERROR;
    }
  }
}

Original References

- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916
- curl Release Notes: https://curl.se/changes.html#7_88_

Mitigation

To mitigate this vulnerability, users are advised to upgrade curl to version 7.88. or later. The new implementation enforces a global cap on the number of links in the decompression chain, preventing malicious servers from exploiting the vulnerability.

Conclusion

In summary, CVE-2023-23916 represents a critical vulnerability in curl versions prior to v7.88. due to the improper implementation of a cap on decompression chain length. This allows a malicious server to exploit the vulnerability, resulting in significant resource consumption and system instability. To protect against this threat, users should update their curl installations immediately.

Timeline

Published on: 02/23/2023 20:15:00 UTC
Last modified on: 03/09/2023 19:15:00 UTC