Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)

Question

Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)

TK 300

Tenable scanners are now detecting "Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)" on some of our Windows Server 2022 servers. (https://www.tenable.com/plugins/nessus/181409). The stated solution is "Upgrade Curl to version 8.3.0 or later".

Will Microsoft be addressing this issue when the October updates are released on October 10, 2023?

Josh Nielsen 0 Reputation points

2023-09-21T20:32:33.9366667+00:00

Another thread has been posted about this as well here (with no updates): https://learn.microsoft.com/en-us/answers/questions/1340198/curl-arbitrary-file-write-7-x-)-7-84-0-8-x-(-8-1-2-7-84-0-8-x-(-8-1-2)
TK 300 Reputation points

2023-09-21T22:32:23.99+00:00

That post references CVE-2023-32001. This is about https://curl.se/docs/CVE-2023-38039.html.
Mike Varga 5 Reputation points

2023-09-25T17:42:51.3733333+00:00

This exposes MS to significant liability, and it's customers to significant harm. It appears they've adopted a piece of community developed code, with no real plans to regularly update it. Has anyone removed the risky executable to determine if the OS uses it or if it's just a CLI utility?
Bruno Carvalho | LGTI ☁️ 10 Reputation points

2023-09-28T12:16:50.0766667+00:00

Is the same here, I have 1000 workstations and 150 server, How am I going to correct them all manually, impossible!!
Adrian Jimenez 20 Reputation points

2023-09-28T17:02:41.6433333+00:00

@Mike Varga You should not remove the executable or update it manually as it is going to mess with Windows Updates and possibly leave you with a corrupted files system, which is a hassle to fix (talking out of my own experience). More info here and here.
Adrian Jimenez 20 Reputation points

2023-10-12T22:54:32.1266667+00:00

Just checked a patched machine with the October update but curl is still version 8.0.1. I would have been surprised if MS actually would have addressed this right away. We will have to wait, one month at a time.

4 answers

Your answer

Josh Nielsen 0 Reputation points

2023-09-21T20:32:33.9366667+00:00

Another thread has been posted about this as well here (with no updates): https://learn.microsoft.com/en-us/answers/questions/1340198/curl-arbitrary-file-write-7-x-)-7-84-0-8-x-(-8-1-2-7-84-0-8-x-(-8-1-2)
TK 300 Reputation points

2023-09-21T22:32:23.99+00:00

That post references CVE-2023-32001. This is about https://curl.se/docs/CVE-2023-38039.html.
Mike Varga 5 Reputation points

2023-09-25T17:42:51.3733333+00:00

This exposes MS to significant liability, and it's customers to significant harm. It appears they've adopted a piece of community developed code, with no real plans to regularly update it. Has anyone removed the risky executable to determine if the OS uses it or if it's just a CLI utility?
Bruno Carvalho | LGTI ☁️ 10 Reputation points

2023-09-28T12:16:50.0766667+00:00

Is the same here, I have 1000 workstations and 150 server, How am I going to correct them all manually, impossible!!
Adrian Jimenez 20 Reputation points

2023-09-28T17:02:41.6433333+00:00

@Mike Varga You should not remove the executable or update it manually as it is going to mess with Windows Updates and possibly leave you with a corrupted files system, which is a hassle to fix (talking out of my own experience). More info here and here.
Adrian Jimenez 20 Reputation points

2023-10-12T22:54:32.1266667+00:00

Just checked a patched machine with the October update but curl is still version 8.0.1. I would have been surprised if MS actually would have addressed this right away. We will have to wait, one month at a time.

Answer 1

LilHammer 30

This needs to be escalated for a response from Microsoft corporate... It is 100% unacceptable and indefensible for Microsoft to incorporate open-source code in a way that requires only Microsoft packaged updates and fixes, when Microsoft has no intention of maintaining the code they decided to incorporate! This is another example of Microsoft doing things the programming community doesn't want while ensuring Windows is more vulnerable than ever before.

If Microsoft won't meet industry-standard patching deadlines, STOP INCORPORATING MORE OPEN SOURCE CODE into the OS but REQUIRING MS PACKAGED FIXES!

This is exactly like the old Macromedia Flash problem. STOP IT.

Adrian Jimenez 20 Reputation points

2023-10-12T22:49:43.85+00:00

This is not really an answer, but this person is right on point

Answer 2

Siddharth Sharma 6

Same here, most of Windows 10 machines are reporting this on Nessus.

I hope this is fixed in next update from MS .

Yasmin Guedes Soares 0 Reputation points

2023-09-27T13:14:49.7433333+00:00

Windows 11 as well.

Answer 3

Josh Nielsen 0

I second this question. This impacts Windows 10 as well.

BrianBoyce 10 Reputation points

2023-09-22T08:28:13.9933333+00:00

I also second this, have intruder.io tannable scan stating that this version of cUrl is vulnerable but is controlled by Microsoft updates. When can we expect it to be updated
Durnan, Andrew 0 Reputation points

2023-10-02T20:47:35.9333333+00:00

I can also attest that updating curl manually will cause problems when the cumulative update with the curl patch is applied. The file hash of curl.exe is not what the installer expects and the entire cumulative update will fail.

Answer 4

Buckingham, Nicholas S 0

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38039

Share via

Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)

4 answers

Your answer