Headline
CVE-2023-38039: Hackerone: CVE-2023-38039 HTTP headers eat all memory
1. When will an update be available to address this vulnerability?
Microsoft is fully aware of this issue and is actively working to release version 8.4.0 of curl.exe in a future Windows update for currently supported, on-premise versions of Windows clients and servers. The Security Updates table for this CVE will be updated with the Windows update KB numbers for all supported versions as they are released. Customers will be notified via a revision to this security vulnerability when those KB numbers are available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications and Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center.
2. What is the curl open-source project?
Curl is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client for URL". The Windows implementation provides access to the command-line tool, not the library.
3. Why is this Hackerone CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in curl.exe software which is consumed by Microsoft Windows. It is being documented in the Security Update Guide to announce that the latest builds of Windows are no longer vulnerable. Note that we do not provide CVSS scores for non-Microsoft CVEs. You can search the [NVD]https://nvd.nist.gov/vuln/search) database for scoring information on this CVE.
4. How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would have to convince the victim to manually launch the curl utility and direct it to connect to a compromised server. This causes a denial of service of curl.
For more information see CVE-2023-38089 SOCKS5 heap buffer overflow.
5. What version of curl addresses this CVE?
Curl version 8.4.0 addresses this vulnerability.
6. Where can I find more information about this curl vulnerability?
More information can be found at NVD and curl.se.
7. Are there any workarounds that can be implemented?
IMPORTANT: Under no circumstances should you remove or replace curl.exe, the curl tool executable, as doing so may damage the Windows Update component store and prevent the installation of further security updates. Instead, we recommend deploying a code integrity policy that restricts the execution of vulnerable versions of curl.exe.
Note that after you have implemented any of the workarounds the file will still exist on disk, and can still be detected by scanning software. The workaround only provides an operating system level guarantee that the vulnerable version of the curl tool cannot be executed.
Workaround Use a WDAC policy to deny execution of the \system32\curl.exe executable. You can merge the deny into an existing policy or create a new policy with it using the Merge-CIPolicy cmdlet; Merge-CIPolicy (ConfigCI) | Microsoft Learn. After the policy XML file with the deny has been created or merged with an existing policy it must be deployed.
Choose how to deploy the policy by using one of the following methods Deploying Windows Defender Application Control (WDAC) policies | Microsoft Learn:
- Deploy using a Mobile Device Management (MDM) solution, such as Microsoft Intune
- Deploy using Microsoft Configuration Manager
- Deploy via script
- Deploy via group policy Note that after you have deployed a code integrity policy workaround, the file will still exist on disk, and can still be detected by scanning software. The workaround only provides an operating system level guarantee that the vulnerable version of the curl tool cannot be executed.efender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy)
For example:
Create a new policy: (These steps will create a new policy named Deny-Curl.xml by merging the deny using the example policy named AllowAll.xml)
$rule = new-cipolicyrule -DriverFilePath "$env:systemroot\system32\curl.exe" -Level FilePublisher -Deny
$rule[0].attributes["MinimumFileVersion"] = "0.0.0.0"
$rule[0].attributes["MaximumFileVersion"] = "8.4.0.0"
merge-cipolicy "$env:systemroot\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml" -Rules $rule -OutputFilePath "Deny-Curl.xml"
Merge into an existing policy
$rule = new-cipolicyrule -DriverFilePath "$env:systemroot\system32\curl.exe" -Level FilePublisher -Deny
$rule[0].attributes["MinimumFileVersion"] = "0.0.0.0"
$rule[0].attributes["MaximumFileVersion"] = "8.4.0.0"
merge-cipolicy "existing_policy.xml" -Rules $rule -OutputFilePath "existing_policy.xml"
How to undo this workaround?
Guidance for how to remove WDAC policies can be found in the following documentation: Remove Windows Defender Application Control (WDAC) policies.