A critical SOCKS5 heap buffer overflow vulnerability has been reported in the curl and libcurl (CVE-2023-38545). After a comprehensive audit, all HYCU’s product and SaaS services are not impacted by this vulnerability.
Date of Publication
October 11th, 2023
A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behaviour.
This vulnerability only affects curl and libcurl 7.69.0 to and including 8.3.0.
Once the vulnerability was identified, HYCU completed a comprehensive audit of all its software and services, and our support team has established that HYCU users are not impacted by the critical curl and libcurl vulnerability known as CVE-2023-38545. Based on our team’s audit, there is no additional remediation required for any HYCU Software or Service at this time.
Related to this incident, here are additional specifics for the HYCU software and services portfolio and any action that is required.
|Software / Service||Description||Impact Statement||Action Required|
|HYCU for Enterprise Clouds||Software used to protect customer’s infrastructure running VMware, Nutanix, Azure Government and physical servers||The solution does not use the affected library. So, it is not exposed to this vulnerability||None Required|
|HYCU Protégé||Service used to protect workloads on AWS, Google Cloud Platform and SaaS applications||The solution does not use the affected library. So, it is not exposed to this vulnerability||None Required|
|HYCU Protégé for Google Cloud||Service used to protect workloads on Google Cloud Platform||The solution does not use the affected library. So, it is not exposed to this vulnerability||None Required|
|HYCU Protégé for Azure||Service used to protect workloads on Microsoft Azure Cloud||The solution does not use the affected library. So, it is not exposed to this vulnerability||None Required|
RedHat security advisory: https://access.redhat.com/security/cve/cve-2023-38545