Share via

CVE-2023-38545 cURL vulnerability

Anonymous
2023-11-08T19:51:29+00:00

Hello!

I have a lot of workstations affected by this that are being classified as vulnerable by Tenable. All of these have cURL onboard pre-installed on the machines. I see this means we have to wait for Microsoft to release an update. Can someone please provide any idea as to when that might be so we can provide a timeline to vulnerability management stakeholders for compliance?

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Rob Koch 25,875 Reputation points Volunteer Moderator
    2023-11-09T05:46:57+00:00

    AS always, the Microsoft MSRC and other official security advisories are the only place that you should look for this sort of information, not open forums of any sort, since the best people will reference you to these locations anyway.

    This was the 2nd result for my own search using cut & paste of the CVE from your own subject line in this thread.

    CVE-2023-38545 - Security Update Guide - Microsoft - MITRE: CVE-2023-38545 SOCKS5 heap buffer overflow

    See FAQ item number 1 in that document for precisely the information you requested and how to keep current as updates become available.

    < EDIT > Also, based on item #4 in that same FAQ, I wouldn't personally be concerned about this particular issue, since the conditions necessary to exploit sound highly unlikely to me. Apparently the updated version of CURL.exe already exists, it just needs to be included in a future update of the set of components that contain it, but I wouldn't expect Microsoft to expedite this based on the low probability of successful attack. But I wouldn't lose any sleep over the extremely low potential risk involved either.

    Rob

    1 person found this answer helpful.
    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-11-09T20:23:27+00:00

    Oh indeed, but because everyone "has a box to check", practicality often is tossed in the fire as I am SURE you're familiar :). Thank you for your help, that is a heck of an impressive history too!!

    0 comments
  2. Rob Koch 25,875 Reputation points Volunteer Moderator
    2023-11-09T20:13:42+00:00

    Microsoft employees today are almost all contractors, with only a few core employees like executives, some management and a few others truly working directly for Microsoft. I personally interacted with a Product Manager for the original Windows Live OneCare and Microsoft Security Essentials teams as an MVP back in 2007-2012, who was a contractor during initial betas, but transitioned to true Microsoft status once he became the PM.

    The types of answers you'll get from any of those here vary widely for any type of member, since experience varies widely and as already mentioned, these mostly volunteer forums aren't truly the best place to ask such technical questions.

    The difference in this case is your question fits my background as a 40+ year network administrator and security professional for education, government and commercial customers or employers perfectly, since part of my job during this period was managing networks or vulnerability scanning and aiding organizations in the prioritization of remediation of updates to all types of network devices including clients.

    So, rather than getting the response from a script or database, I know what I'm actually looking for not only online, but also within the documents themselves, since that's one thing I did for roughly 2 decades.

    However, at the time rather than worry about assessors or CISSP types in general, my position was more dependent on past experience and real-life protection of my own corporate networks, so I tend to ignore the certification and compliance requirements and cut to the chase for what truly matters to protect a network or device. In fact, the CISSPs I most often worked with, my past boss and another we contracted with for vulnerability assessments for banks and other companies more often referred to me when questions relating to vulnerability, or the true risks involved came up. In a few cases many months after I'd retired when newly discovered vulnerabilities needed explaining to their customers based on documents from the FBI and other government agencies.

    At the time you'd have paid a starting rate of $120/hr. for my advice, though that's at least a decade ago, so you've gotten away cheap here.

    Rob

    0 comments
  3. Anonymous
    2023-11-09T13:59:12+00:00

    Thanks all! I was asking here with the tone I took expecting a Microsoft response because I have had responses from MS reps before on MS Community. At least their titling with their signatures appeared to present them as such, so I was hoping those folks would respond. But thanks for the MSRC reference, I was hoping to see something like this so I could show assessors that it will come in time. My main thing is addressing the detections in Tenable to tell people we answer to that this will happen with an update by MS, so we have to wait. Thanks for that!

    0 comments
  4. Neil D 32,835 Reputation points Volunteer Moderator
    2023-11-08T20:02:03+00:00

    It's unlikely users here will have any idea what Microsoft are doing about what you describe. This is an open forum manned by users like yourself and not Microsoft personnel.

    There is a chance that some may have more information for you but you may have to wait.

    0 comments