CVE-2023-27533

Vulnerability

The input validation flaw in curl versions prior to 8.0.0 during TELNET protocol communication allows an attacker to inject maliciously crafted user names and telnet options during server negotiation. The lack of proper input scrubbing enables the attacker to send arbitrary content or perform option negotiation without the application's intent. This vulnerability is exploitable when an application allows user input that is passed to curl's TELNET functionality.

Exploitation

An attacker can exploit this vulnerability by acting as a malicious TELNET server or by performing a man-in-the-middle attack during a TELNET session. The attacker crafts special telnet options and user name strings that bypass input validation. No authentication is required, but the application must be using curl's TELNET protocol and accepting user-provided input. According to the Gentoo advisory [2], successful remote code execution may be limited to SOCKS proxy usage contexts.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the target system with the privileges of the curl process. This could lead to full system compromise. The Gentoo advisory [2] notes that the risk of remote code execution is limited to SOCKS usage scenarios.

Mitigation

The vulnerability is fixed in curl version 8.0.0 and later. Users should upgrade to curl 8.0.0 or higher. For Gentoo systems, the recommended fix is to update to >=net-misc/curl-8.3.0-r2 [2]. No workaround is available.