Patch for cURL 8.4.0 CVE-2023-38545 ETA?

Alexis Martinez 50

Any ETA when a patch for cURL 8.4.0 will be released. We currently see that cURL 8.4.0 has been released by the cURL project, but Microsoft hasn't released a patch for this? We need to get this patched immediately on our Windows 10 and Server appliances.

Our team has attempted to copy and paste the new version of cURL, but it appears that it reverts to the old version of cURL when a hardlink exists to the Windows Component Store. The only viable route would be to have Microsoft release a patch.

Chris Leonard (MS) 15 Reputation points

2023-10-27T16:29:32.92+00:00

What are we supposed to do here Microsoft ?!? Deleting the file breaks system updates, manually updating is failing!!!
Alexis Martinez 50 Reputation points

2023-10-27T16:34:18.09+00:00
had this break a couple of systems on testing. You can easily fix it with, but it reverts to the original curl file.

dism /Online /Cleanup-Image /RestoreHealth sfc /scannow
Reasoner, Brian 5 Reputation points

2023-10-27T21:09:56.7633333+00:00

We really need some guidance from Microsoft on this issue.
abbodi86 3,856 Reputation points

2023-10-28T12:42:33.8633333+00:00

@Chris Leonard (MS) You can create a folder for external curl (released by the cURL project), e.g.: C:\cURL
then add that folder to PATH system environment, prepending "%SystemRoot%\system32"
Tiago Santana 0 Reputation points

2023-11-06T18:57:59.4666667+00:00

Hi, someone applied the workaround suggested by Microsoft to mitigate this vulnerability and worked? I tested the Policy, but the Curl keep working after apply the policy and restart the device.
Donald Jackson 25 Reputation points

2023-11-06T20:54:49.44+00:00

I just found this... for what it's worth.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38039
Donald Jackson 25 Reputation points

2023-11-09T14:08:51.9666667+00:00

Here's the so-called "fix" https://answers.microsoft.com/en-us/windowserver/forum/all/how-to-update-curl-version-to-840/96edfd33-9316-4232-825b-bfb4ef147d6f My guess is that this is temporary and MS will release something next week on Tuesday.

3 answers

abbodi86 3,856 Reputation points

2023-11-12T20:09:21.51+00:00

curl.exe 8.4.0.0 will be included with 2023-11 LCUs:

KB5032196: Win10 1809

KB5032189: Win10 22H2

KB5032198: Server 2022

KB5032192: Win11 21H2

KB5032190: Win11 22H2/23H2

KB5032202: Server 23H2
Please sign in to rate this answer.

2 people found this answer helpful.
Eric Romo 0 Reputation points

2023-11-14T21:22:17.34+00:00

Just patched with KB5032196, and cURL is still showing as 7.71.1. I also did not see anything mentioning cURL in the release notes. Did you observe something differently?

Newtolearn-J 0 Reputation points

2023-11-16T11:39:05.45+00:00

Hi @abbodi86
When it would be available for the Windows 2019 server?
Sign in to comment
Tyler Hodges 0 Reputation points

2023-10-31T17:29:50.8833333+00:00

Artic Wolf is showing this as a MySql vuln but nothing shows in Defender for Endpoint. Where's the patch?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Hania Lian 8,231 Reputation points Microsoft Vendor

2023-12-05T06:51:33.68+00:00

Hello Alexis Martinez

Microsoft has included curl.exe version 8.4.0 in the Windows Update released on November 14, 2023, for currently supported on-premises versions of Windows clients and servers.

You need to manually add the patch of the corresponding version from https://www.catalog.update.microsoft.com/Home.aspx, please refer to this link for the patch of the corresponding version:

CVE-2023-38545 - Security Update Guide - Microsoft - Hackerone: CVE-2023-38545 SOCKS5 heap buffer overflow.

Best Regards,

Hania Lian
Please sign in to rate this answer.

0 comments No comments
Sign in to comment