Curl 7.69 < 8.4.0 Heap Buffer Overflow and Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039) Attack How to fix

Question

Curl 7.69 < 8.4.0 Heap Buffer Overflow and Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039) Attack How to fix

Sathishkumar Singh 486

Hello Team

Nessus has reported vulnerability. Curl 7.69 < 8.4.0 Heap Buffer Overflow and Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039) for 2016,2019,2022

Please let me know how to fix this issue ASAP

Ortiz, Steve 25 Reputation points

2023-10-30T13:07:25.6066667+00:00

Is Microsoft going to release a patch to fix this vulnerability?
Pedro Garcia 30 Reputation points

2023-10-30T17:49:42.3+00:00

Hello Team, We are having the same issue with multiple computers and Windows Servers. From my understanding, this is something that was about to be addressed by Microsoft in updates to be released any time soon. Am I correct? If not, please indicate how to solve this issue, since both vulnerabilities show one as critical and the other one as high. Thank you in advance!
Patrick 5 Reputation points

2023-11-03T11:45:06.64+00:00
Hello Team and Community,

I have been following the discussion regarding the vulnerabilities identified in Curl versions 7.69 to 8.4.0 (Heap Buffer Overflow) and 7.84 to 8.2.1 (Header DoS) with the CVE-2023-38039. I understand that there has been significant concern about these issues, as they have been flagged by Nessus and affect multiple Windows Server versions (2016, 2019, 2022).

Like many others here, I am eagerly awaiting a resolution. I am looking for interim advice on how to mitigate this vulnerability until an official patch is released. Has anyone implemented any successful workarounds or additional security measures to protect against potential exploits?

To add to the discussion and bring everyone up to speed, here are the details we have so far:

The vulnerability impacts Curl versions from 7.69 up to 8.4.0 with a Heap Buffer Overflow issue, and versions 7.84 up to 8.2.1 with a Header DoS issue. The CVE identifier for this vulnerability is CVE-2023-38039. It affects multiple Windows Server editions, including 2016, 2019, and 2022.

If anyone has taken steps to safeguard their systems or if there is guidance from Microsoft's team, please share. Your input would be invaluable for all of us dealing with these vulnerabilities.

Thank you for your assistance.

1 answer

Your answer

Ortiz, Steve 25 Reputation points

2023-10-30T13:07:25.6066667+00:00

Is Microsoft going to release a patch to fix this vulnerability?
Pedro Garcia 30 Reputation points

2023-10-30T17:49:42.3+00:00

Hello Team, We are having the same issue with multiple computers and Windows Servers. From my understanding, this is something that was about to be addressed by Microsoft in updates to be released any time soon. Am I correct? If not, please indicate how to solve this issue, since both vulnerabilities show one as critical and the other one as high. Thank you in advance!
Patrick 5 Reputation points

2023-11-03T11:45:06.64+00:00

Hello Team and Community,

I have been following the discussion regarding the vulnerabilities identified in Curl versions 7.69 to 8.4.0 (Heap Buffer Overflow) and 7.84 to 8.2.1 (Header DoS) with the CVE-2023-38039. I understand that there has been significant concern about these issues, as they have been flagged by Nessus and affect multiple Windows Server versions (2016, 2019, 2022).

Like many others here, I am eagerly awaiting a resolution. I am looking for interim advice on how to mitigate this vulnerability until an official patch is released. Has anyone implemented any successful workarounds or additional security measures to protect against potential exploits?

To add to the discussion and bring everyone up to speed, here are the details we have so far:

The vulnerability impacts Curl versions from 7.69 up to 8.4.0 with a Heap Buffer Overflow issue, and versions 7.84 up to 8.2.1 with a Header DoS issue. The CVE identifier for this vulnerability is CVE-2023-38039. It affects multiple Windows Server editions, including 2016, 2019, and 2022.

If anyone has taken steps to safeguard their systems or if there is guidance from Microsoft's team, please share. Your input would be invaluable for all of us dealing with these vulnerabilities.

Thank you for your assistance.

Answer 1

Hello everyone there is a way to update this vulnerability I was able to do it successfully on Windows server 2019.

Step 1: Go to https://www.msys2.org/ and download the installer. Also Git will need to be installed as well https://git-scm.com/downloads

Step 2: After downloading MSYS2, open the application. Copy the following commands in order. If you're doing it from the command prompt , use "set" instead of "export".

pacman -S --needed git base-devel mingw-w64-x86_64-toolchain
source shell mingw64
git clone https://github.com/microsoft/vcpkg.git
cd vcpkg
./bootstrap-vcpkg.bat
export VCPKG_DEFAULT_TRIPLET=x64-mingw-dynamic
export VCPKG_DEFAULT_HOST_TRIPLET=x64-mingw-dynamic
./vcpkg install curl

You should now have the latest curl 8.4.0! :)

User's image

References: https://learn.microsoft.com/en-us/vcpkg/users/platforms/mingw

https://github.com/microsoft/vcpkg#quick-start-windows

Share via

Curl 7.69 < 8.4.0 Heap Buffer Overflow and Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039) Attack How to fix

1 answer

Your answer