Share via

curl update

Glenn Maxwell 12,871 Reputation points
2023-09-25T09:38:59.7666667+00:00

Hi All

i have the below vulnerability on few of my Windows 2019 Servers. please guide me how to fix this vulnerability.

Path: C:\Windows\ccmcache\x\Files\bin\curl.exe, Path: C:\Windows\SysWOW64\curl.exe, Path: C:\Windows\System32\curl.exe

Installed version : 8.0.1.0 Fixed version : 8.3.0

Windows for business | Windows Server | User experience | Other
Accepted answer
  1. Limitless Technology 44,751 Reputation points
    2023-09-26T10:54:39.6233333+00:00

    Hello Glenn Maxwell,

    First of all, I would recommend to check the version of CURL installed on the servers, by running the next command:

    curl --version

    At the moment, I am aware at least of 4 different vulnerabilities for versions below 8.1.0 with the next codes and explanations:

    CVE-2023-28319: A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash.

    CVE-2023-28321: An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

    CVE-2023-28322: An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback.

    CVE-2023-28320: A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time.

    The action is very straight forward. Curl is included with Windows since 2017, and it should be patched by regular Windows Updates. Since you are using SCCM, another alternative would be to download the standalone version of CURL from their website and create a deployment package that will target the specific computers.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JR 10 Reputation points
    2023-09-26T21:29:50.7+00:00

    Which Windows Server 2019 cumulative update includes curl.exe version 8.3.0? Installing the standalone version instead of depending on the regular Windows updates is causing problems.

    2 people found this answer helpful.
  2. Bruce Bading 15 Reputation points
    2023-10-24T14:08:02.46+00:00

    Curl prior to 8.4 contains high and critical vulnerabilities. Attempting to patch curl outside of Microsoft's patch policy can cause many Powershell issues. Powershell is used by bad actors and curl vulnerabilities can lead to a breach. I would recommend contacting Microsoft security. If not remediated by Microsoft after several attempts. I highly recommend reporting the vulnerability to DHS at the following address.

    https://www.kb.cert.org/vuls/report/

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.