Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On November 18th, 2024, Palo Alto disclosed a critical actively exploited authentication bypass zero-day vulnerability impacting Palo Alto Networks PAN-OS. The…
Nov 13, 2024THE THREAT Update: eSentire has observed multiple exploitation attempts targeting CVE-2024-8069. In real-world attacks, threat actors successfully achieved RCE and attempted to…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
On October 11, 2023, Daniel Stenberg, in association with the release of curl 8.4.0, disclosed a significant security flaw, CVE-2023-38545, concerning a heap overflow vulnerability in curl. This vulnerability is considered to be of high severity.
The vulnerability stems from curl's support for the SOCKS5 proxy protocol. A specific function within curl, designed to connect to a SOCKS5 proxy, was converted from a blocking call into a non-blocking state machine in early 2020. This change inadvertently introduced the vulnerability, which allows for a potential heap buffer overflow if certain conditions are met.
Per the report, exploitation requires the following conditions must be met:
In a likely exploitation scenario, an attacker with control of an HTTPS server could trigger the heap overflow by convincing the target to visit a crafted URL using a vulnerable version of curl or libcurl with the appropriate parameters. Although these constraints reduce the risk of widespread exploitation, timely patching is still advised due to the popularity of curl and possible alternative exploitation methods.
Another vulnerability, CVE-2023-38546, was also disclosed, which allows an attacker to insert cookies into a running program using libcurl under specific conditions. This flaw is rated as Low severity due to the specific conditions required for exploitation.
The curl platform is extensively utilized across various organizations and applications. Given its widespread adoption, it's crucial for users and administrators to be vigilant and ensure that necessary security measures are in place.
The vulnerabilities, initially tracked under the identifiers CVE-2023-38545 and CVE-2023-38546, were disclosed publicly for the curl and libcurl projects on October 11, 2023. While the SOCKS5 heap buffer overflow vulnerability was of high severity impacts both, the cookie injection flaw was rated as Low and only impacted libcurl. Both vulnerabilities were addressed with the release of curl 8.4.0.
The curl command line tool and the curl library, commonly referred to as libcurl, have been foundational components for network operations since their inception. Over the years, it has been integrated into countless applications, ranging from command-line tools to sophisticated software systems. Given its widespread use, the vulnerabilities in libcurl have the potential to impact a vast number of applications and systems.
The SOCKS5 heap buffer overflow vulnerability arose from a flaw in the SOCKS5 proxy handshake process. When curl was instructed to delegate hostname resolution to the SOCKS5 proxy, a bug could cause it to incorrectly copy an overly long hostname to the target buffer, leading to potential security risks. This vulnerability was inadvertently introduced when the SOCKS5 handshake code transitioned from a blocking function to a non-blocking state machine.
The curl advisory states “If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means ‘let the host resolve the name’ could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.”
On the other hand, the cookie injection vulnerability allowed attackers to inject cookies into a running program using lbcurl under specific conditions. When duplicating an "easy handle" using the curl_easy_duphandle function, if the original handle had cookies enabled, the duplicated handle would inherit the cookie-enabled state but not the actual cookies, leading to potential security risks.
While there is no confirmed real-world exploitation of these vulnerabilities at this time, the disclosure of such flaws in a widely used library like libcurl is concerning. The combination of the technical details provided in the advisories, along with the attention these vulnerabilities have garnered, suggests that threat actors might explore potential exploitation avenues in the future.
Given the critical nature of the SOCKS5 vulnerability and the potential impact of the cookie injection flaw, organizations and developers using libcurl are strongly advised to update to the latest version or apply the recommended patches to mitigate the risks associated with these vulnerabilities.
References:
[1] https://www.helpnetsecurity.com/2023/10/10/curl-vulnerabilities-cve-2023-38545/
[2] https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
[3] https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/
[4] https://curl.se/docs/CVE-2023-38545.html
[5] https://curl.se/docs/CVE-2023-38546.html