[German]There is a vulnerability in the cURL library and tool in older versions, which was closed by the project on October 11, 2023 with version 8.4.0. Microsoft delivers cURL with Windows, but has not yet updated this version. My understanding is that Windows still contains the outdated cURL version after the October 2023 updates. I have now received information that Microsoft intends to deliver cURL 8.4.0 with the Windows updates on November 14, 2023.
What is cURL?
cURL (stands for Client for URLs or Curl URL Request Library) is both a program library and a command line program for transferring files in computer networks. cURL is licensed under the open MIT license and has been ported to various operating systems.
There are vulnerabilities in older versions of cURL. Daniel Stenberg published a warning at the beginning of October 2023 in which he wrote about a vulnerability that was to be fixed with version 8.0.4. In the meantime, there is the publication CVE-2023-38545 & CVE-2023-38546 Curl and libcurl Vulnerabilities: All you need to know, which discloses more information about the vulnerabilities (Bleeping Computer has pointed this out here). One of these vulnerabilities is categorized as low severity (CVE-2023-38546), while the second is considered high severity (CVE-2023-38545).
- CVE-2023-38545 is a serious vulnerability that affects both the cURL command line tool and libcurl. Affected versions are curl and libcurl from 7.69.0 up to and including 8.3.0.
- CVE-2023-38546 is a low severity vulnerability that only affects the libcurl library. Affected are libcurl versions from 7.9.1 up to and including 8.3.0.
CVE-2023-38545 is a heap overflow vulnerability that could potentially be exploited for remote code execution (RCE). According to the article above, the vulnerability CVE-2023-38545 cannot be exploited under standard conditions. The libcurl library is only vulnerable if it is used in one of the ways described in the article above. To summarize: The cURL vulnerability is "not yet on fire".
curl in Windows 10/11
Microsoft has been shipping cURL with Windows 10 (and also in Windows 11) since 2017, as you can read in this article on the cURL website, as well as the blog post Tar and Curl Come to Windows from Microsoft, which was last updated on March 17, 2023. I mentioned this in December 2017 in the German blog post Windows 10: tar und curl sollen kommen. The cURL website states the following:
All installs of Microsoft Windows 10 and Windows 11 get curl installed by default since then. The initial curl version Microsoft shipped was 7.55.1 but it was upgraded to 7.79.1 in January 2022.
The Microsoft provided version is built to use the Schannel TLS backend. […]
The curl tool shipped with Windows is built by and handled by Microsoft. It is a separate build that will have different features and capabilities enabled and disabled compared to the Windows builds offered by the curl project. They do however build curl from the same source code. If you have problems with their curl version, report that to them.
You can probably assume that the curl packages from Microsoft will always lag behind the versions provided by the curl project itself.
According to the cURL website, cURL for Windows was updated to version 8.4.0 on October 11, 2023. If I query the cURL version under Windows 10 with the current patch level using the console command curl -V, I get this output:
In Windows 10 with patch status October 2023, for example, version 8.0.1 is displayed, while version 8.4.0 would actually be required.
Windows cURL 8.4.0 update on November 14, 2023
Other people have also noticed the missing cURL update. In the Microsoft Q&A post Patch for cURL 8.4.0 CVE-2023-38545 ETA? someone had asked on October 27, 2023 when an update of cURL could be expected. Now blog reader Marco on BlueSky has informed me that cURL 8.4.0 is included in the 2023-1 LCUs (thanks for that). Below is the screenshot of the notification in question.
abboddi86 stated in a post on November 12 that the cURL package will also be updated to 8.4.0 with the following cumulative updates.
- KB5032196: Win10 1809
- KB5032189: Win10 22H2
- KB5032198: Server 2022
- KB5032192: Win11 21H2
- KB5032190: Win11 22H2/23H2
- KB5032202: Server 23H2
Windows January 2022 security updates for cURL vulnerability CVE-2021-22947 – a tough task for security reporters
Windows 10/11: Microsoft still ships old version of cURL lib with vulnerabilities (Feb. 2023)
Windows and the cURL trap; deleted curl instance breaks Windows update
curl vulnerability still unpatched by Microsoft
Cookies helps to fund this blog: Cookie settings