Elastic Security Detection Rules

Potential curl CVE-2023-38545 Exploitation

Last updated 4 months ago on 2025-02-04
Created 2 years ago on 2023-10-11

About

Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionUse Case: VulnerabilityTactic: ExecutionData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

Exploitation for Client Execution (T1203)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process*
Related Integrations

endpoint(opens in a new tab or window)

Query
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl"
and (
  process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or
  process.env_vars like ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
) and length(process.command_line) > 255 and not (
  process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "agent-inventory", "cf-execd") or
  process.args like "/opt/rudder/*" or
  process.parent.executable like ("/vz/root/*", "/var/rudder/*")
)

Install detection rules in Elastic Security

Detect Potential curl CVE-2023-38545 Exploitation in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).