Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

cURL Security Audit Reveals Several Vulnerabilities

The latest version of cURL patches nearly a dozen vulnerabilities, more than half of which were discovered as a result of an audit conducted recently by security experts.

The latest version of cURL patches nearly a dozen vulnerabilities, more than half of which were discovered as a result of an audit conducted recently by security experts.

cURL is an open source command line tool and library designed for transferring data. cURL is used by thousands of software applications, including networking devices, printers, media equipment, phones, tablets, TVs and even cars.

Daniel Stenberg, lead developer of cURL and Mozilla employee, requested a security audit of cURL from the Mozilla Secure Open Source (SOS) program. The audit was conducted over a 20-day period in August and September by five testers at Germany-based security services provider Cure53.

The audit revealed a total of 23 issues, including nine security flaws. An analysis of the findings by cURL developers led to two of the vulnerabilities being merged and one being classified as a “plain bug” since it involved a very complicated attack scenario.

Of the nine security holes detailed in Cure53’s report, four have been rated “high severity” and four are considered “medium severity.” The high severity issues, which could lead to remote code execution, are tracked as CVE-2016-8617, CVE-2016-8619, CVE-2016-8622 and CVE-2016-8623.

Despite the significant number of flaws, Cure53 concluded that “the overall impression of the state of security and robustness of the cURL library was positive.”

The latest version of cURL, version 7.51.0, patches a total of 11 vulnerabilities. In addition to the seven issues found by Cure53, flaws were also reported by Luật Nguyễn, Christian Heimes and Fernando Muñoz. Stenberg pointed out that before this security audit, the highest number of vulnerabilities fixed in a single release was four.

“I applied for the security audit because I feel that we’ve had some security related issues lately and I’ve had the feeling that we might be missing something so it would be really good to get some experts’ eyes on the code,” Stenberg said in a blog post. “Also, as curl is one of the most used software components in the world a serious problem in curl could have a serious impact on tools, devices and applications everywhere. We don’t want that to happen.”

Advertisement. Scroll to continue reading.

Related: Code Execution Flaws Patched in HDF5 Library

Related: OpenJPEG Flaw Allows Code Execution via Malicious Image Files

Related: Several Vulnerabilities Patched in Libarchive Library

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Cisco's enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user's microphone is muted in the software,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Application Security

Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...