CVE-2023-28319 - Curl’s Use-After-Free SSH Fingerprint Flaw (With Example & Exploit Details)

Curl is the go-to tool when it comes to fetching or sending data using URLs from a terminal or in scripts. However, even such a trusted tool isn’t immune to security bugs. In April 2023, a serious vulnerability was discovered in libcurl, the library behind curl, that risks leaking heap data when verifying SSH server keys – tracked as CVE-2023-28319. If you’re using curl versions before 8.1. and doing anything with SSH, you need to read this.

In this post, we'll break down what happened, how it works, and why it's dangerous. We’ll even provide a simple code snippet, plus references and details on how this could be exploited.

What is CVE-2023-28319?

CVE-2023-28319 is a use-after-free vulnerability in libcurl. It exists in the logic that checks an SSH server's public key using its SHA-256 fingerprint.

When curl connects via SSH, you can set an "expected fingerprint" for the SSH key, making sure you're talking to the real server (a basic anti-MITM step). If the remote key's hash doesn’t match the expected fingerprint, a helpful error message is returned.

The problem:  
When this check fails, libcurl *frees* the memory that held the fingerprint data before it puts that hash into the error message. As a result, random freed (heap) memory content might end up in this error message.

This may leak random heap data.

- Such data can contain sensitive things – like passwords, cookies, tokens, or even fragments of SSH keys or files being processed!

Technical Details

The flaw is located in the libcurl source code responsible for SSH key validation. Let's look at a simplified, hypothetical snippet showing where things go wrong:

// (simplified/condensed for clarity)
char *fingerprint = generate_sha256_fingerprint(serverkey);

if (!fingerprint_matches_expected(fingerprint, expected_fingerprint)) {
    free(fingerprint); // <<< The fingerprint memory is released
    failf(data, "SSH server key fingerprint mismatch: %s", fingerprint); // <<< Use-after-free!
    return CURLE_PEER_FAILED_VERIFICATION;
}

Problem: The pointer fingerprint is freed, then it's used in failf() for the error message. After free(), the memory at fingerprint may be immediately reused or overwritten by malloc() elsewhere. This can put garbage or unrelated sensitive data into the message.

Exploit Scenario

While this bug can’t be triggered remotely (it’s not "network-exploitable"), it can be triggered locally by:

Example exploit workflow

1. Victim process uses libcurl (vulnerable version), with SSH fingerprint checking, in an environment where heap contains secrets (e.g., a web server or sensitive script).

Proof-of-Concept (PoC) Example

Here’s a simple C program using libcurl's SSH fingerprint matching. If you compile and run this against an SSH server whose pub key hash *does not* match, and you’re using a vulnerable libcurl, you may see memory leakage in the error message.

C source

#include <curl/curl.h>
#include <stdio.h>
int main() {
    CURL *curl = curl_easy_init();
    if (curl) {
        curl_easy_setopt(curl, CURLOPT_URL, "scp://user@hostname/path/file.txt");
        curl_easy_setopt(curl, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256, "AAAAB3NzaC1yc2E..."); // Incorrect, triggers mismatch
        CURLcode res = curl_easy_perform(curl);
        if (res != CURLE_OK)
            fprintf(stderr, "curl error: %s\n", curl_easy_strerror(res));
        curl_easy_cleanup(curl);
    }
    return ;
}

*Replace the URL and SHA256 hash with one that will mismatches.*

When run with a vulnerable libcurl, the error message may contain junk or sensitive data in the place of the fingerprint.

What Versions are Affected?

All curl and libcurl versions before 8.1. are affected.

Fixed in:  
- Curl/libcurl 8.1. and newer  
- Patch

Update now to curl 8.1. or later!

- If you can't update, avoid using SSH fingerprint options, or sanitize logs and error outputs from failed SSH connections.

References

- CVE-2023-28319 at MITRE
- curl Security Advisory
- curl GitHub commit fixing the bug
- libcurl documentation: CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256

Conclusion

CVE-2023-28319 shows how a seemingly small mistake — freeing memory before using it in an error message — can leak sensitive data, even in tools as mature as curl. Always keep your dependencies up to date, especially on servers or scripts interacting with potentially hostile environments. If you're logging libcurl errors involving SSH key checking on older versions, assume you might have leaked heap secrets and act accordingly.

Stay safe — patch curl/libcurl!

*This article was written using exclusive analysis and plain explanations, avoiding jargon so you know exactly what this bug means for your security.*

Timeline

Published on: 05/26/2023 21:15:00 UTC
Last modified on: 08/02/2023 16:47:00 UTC