Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
On October 11, 2023, Daniel Stenberg, in association with the release of curl 8.4.0, disclosed a significant security flaw, CVE-2023-38545, concerning a heap overflow vulnerability in curl. This vulnerability is considered to be of high severity.
The vulnerability stems from curl's support for the SOCKS5 proxy protocol. A specific function within curl, designed to connect to a SOCKS5 proxy, was converted from a blocking call into a non-blocking state machine in early 2020. This change inadvertently introduced the vulnerability, which allows for a potential heap buffer overflow if certain conditions are met.
Per the report, exploitation requires the following conditions must be met:
In a likely exploitation scenario, an attacker with control of an HTTPS server could trigger the heap overflow by convincing the target to visit a crafted URL using a vulnerable version of curl or libcurl with the appropriate parameters. Although these constraints reduce the risk of widespread exploitation, timely patching is still advised due to the popularity of curl and possible alternative exploitation methods.
Another vulnerability, CVE-2023-38546, was also disclosed, which allows an attacker to insert cookies into a running program using libcurl under specific conditions. This flaw is rated as Low severity due to the specific conditions required for exploitation.
The curl platform is extensively utilized across various organizations and applications. Given its widespread adoption, it's crucial for users and administrators to be vigilant and ensure that necessary security measures are in place.
The vulnerabilities, initially tracked under the identifiers CVE-2023-38545 and CVE-2023-38546, were disclosed publicly for the curl and libcurl projects on October 11, 2023. While the SOCKS5 heap buffer overflow vulnerability was of high severity impacts both, the cookie injection flaw was rated as Low and only impacted libcurl. Both vulnerabilities were addressed with the release of curl 8.4.0.
The curl command line tool and the curl library, commonly referred to as libcurl, have been foundational components for network operations since their inception. Over the years, it has been integrated into countless applications, ranging from command-line tools to sophisticated software systems. Given its widespread use, the vulnerabilities in libcurl have the potential to impact a vast number of applications and systems.
The SOCKS5 heap buffer overflow vulnerability arose from a flaw in the SOCKS5 proxy handshake process. When curl was instructed to delegate hostname resolution to the SOCKS5 proxy, a bug could cause it to incorrectly copy an overly long hostname to the target buffer, leading to potential security risks. This vulnerability was inadvertently introduced when the SOCKS5 handshake code transitioned from a blocking function to a non-blocking state machine.
The curl advisory states “If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means ‘let the host resolve the name’ could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.”
On the other hand, the cookie injection vulnerability allowed attackers to inject cookies into a running program using lbcurl under specific conditions. When duplicating an "easy handle" using the curl_easy_duphandle function, if the original handle had cookies enabled, the duplicated handle would inherit the cookie-enabled state but not the actual cookies, leading to potential security risks.
While there is no confirmed real-world exploitation of these vulnerabilities at this time, the disclosure of such flaws in a widely used library like libcurl is concerning. The combination of the technical details provided in the advisories, along with the attention these vulnerabilities have garnered, suggests that threat actors might explore potential exploitation avenues in the future.
Given the critical nature of the SOCKS5 vulnerability and the potential impact of the cookie injection flaw, organizations and developers using libcurl are strongly advised to update to the latest version or apply the recommended patches to mitigate the risks associated with these vulnerabilities.
References:
[1] https://www.helpnetsecurity.com/2023/10/10/curl-vulnerabilities-cve-2023-38545/
[2] https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
[3] https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/
[4] https://curl.se/docs/CVE-2023-38545.html
[5] https://curl.se/docs/CVE-2023-38546.html