curl vulnerability still unpatched by Microsoft

Sicherheit (Pexels, allgemeine Nutzung)[German]There is a vulnerability in the library and tool curl in older versions, which was closed by the project on October 11, 2023 with version 8.4.0. Microsoft ships curl with Windows, and the question was whether curl was also updated for Patchday, October 10, 2023. My status is that Windows still includes the outdated curl version after the October 2023 updates.


What is cURL?

cURL (stands for Client for URLs or Curl URL Request Library) is on the one hand a program library and at the same time a command line program for transferring files in computer networks. cURL is under the open MIT license and has been ported to various operating systems.

curl in Windows 10/11

Microsoft has been shipping cURL with Windows 10 (and also in Windows 11) since 2017, as you can read here on the cURL website, as well as Microsoft's blog post Tar and Curl Come to Windows, last updated March 17, 2023. The cURL website states:

All installs of Microsoft Windows 10 and Windows 11 get curl installed by default since then. The initial curl version Microsoft shipped was 7.55.1 but it was upgraded to 7.79.1 in January 2022.

The Microsoft provided version is built to use the Schannel TLS backend. […]

The curl tool shipped with Windows is built by and handled by Microsoft. It is a separate build that will have different features and capabilities enabled and disabled compared to the Windows builds offered by the curl project. They do however build curl from the same source code. If you have problems with their curl version, report that to them.

You can probably assume that the curl packages from Microsoft will always lag behind the versions provided by the curl project itself.

cURL for Windows has been updated to version 8.0.4 on October 11, 2023, according to the cURL website. If I query the cURL version on a Windows 10 with current patch level, I get this display:

In Windows 10 22H2 with patch status October 2023, version 8.0.1 is displayed, while version 8.0.4 would actually be required. Stefan Kanthak has pointed this out here.


The vulnerability

Daniel Stenberg had published a warning in early October 2023, writing about a vulnerability that was supposed to be fixed with version 8.0.4. In the meantime there is the publication CVE-2023-38545 & CVE-2023-38546 Curl and libcurl Vulnerabilities: All you need to know, which discloses more information about the vulnerabilities (Bleeping Computer pointed it out here). One of these vulnerabilities is considered low severity (CVE-2023-38546), while the second is considered high severity (CVE-2023-38545).

  • CVE-2023-38545 is a serious vulnerability that affects both the Curl command-line tool and libcurl. Affected versions are curl and libcurl from 7.69.0 up to and including 8.3.0.
  • CVE-2023-38546 is a low severity vulnerability that only affects libcurl library. Affected are libcurl versions from 7.9.1 up to and including 8.3.0.

CVE-2023-38545 is a heap overflow vulnerability that can potentially be exploited for remote code execution (RCE). According to the article above, the CVE-2023-38545 vulnerability cannot be exploited under standard conditions. The libcurl library is vulnerable only if it is used in one of the ways described in the above article.

In summary: The curl vulnerability is not yet burning. But it's crap that Microsoft hasn't reacted there and removed a patch for the above vulnerabilities through the current curl version.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *