Is this the next log4j?
October 2023 by Ian Thornton-Trump, CISO at Cyjax
Last week Snyk published a blog about a high severity vulnerability found in libcurl and curl which could leave nearly all Linux systems vulnerable to attack. This may well be the next log4j.
The patch notes are due to be announced tomorrow but before then I have a comment from Ian Thornton-Trump, CISO at Cyjax discussing the severi
With any vulnerability such as this, we need a comprehensive vendor and CISA notification process to make sure everyone updates!
Curl and libcurl are bundled tools, found in nearly all Linux distributions on the planet, and curl may also be found in embedded systems that require a firmware update to fix. If the device is EOL or unsupported, this may end up being an unpatchable, externally exposed risk, but we don’t know that for sure—we should find out tomorrow if this issue is remotely exploitable, and I suspect it won’t be. Due to the nature of curl, it generally works with input into the tool, and that input may then cause some sort of exploit code.
The good news is that mitigation may be possible by adjusting security permissions to prevent a malicious script which "calls" curl and forces it to run the exploit code. If Linux services are running with root privileges and can access curl this exploit could wreak havoc on a lot of systems. Threat actors and ransomware groups will be closely monitoring the disclosure tomorrow, and it will be a race against time to patch or mitigate.