Curl HTTP/2 Push Headers Memory-leak Vulnerability

Garg, Naman 0

We are receiving vulnerabilities on few VMs related to "Curl HTTP/2 Push Headers Memory-leak" and in solution it is suggested to upgrade to latest Curl (version 8.7.1). But the actual file is in system32 folder and we can't make any changes in that folder because of permission issues.

And, we heared it somewhere that it will be remediated during Windows Update but again, we have installed all Windows Update and failed to remediate the Curl Vulnerability.

Can someone help me to get correct KB as part of which this is being resolved?

2 answers

Michael Taylor 49,261 Reputation points

2024-05-16T20:11:58.55+00:00

See this lengthy discussion in the Q&A forums. It includes the links to the information you are asking about. Note that curl.exe will be updated by Windows but any third party apps that use the underlying libcurl (which is where the vulnerability resides) will still need to be updated using whatever update mechanism you use for those apps.
Please sign in to rate this answer.
Garg, Naman 0 Reputation points

2024-05-16T20:26:55.95+00:00

We are already in version 8.4.0

But new Windows update from last 3 months are not upgrading it automatically to 8.7.0 or later.

Michael Taylor 49,261 Reputation points

2024-05-16T20:30:34.3833333+00:00

There is no Windows update for updating to curl 8.7.1 that I'm aware of. 8.4.0 is the latest version and it was shipped as part of Nov 2023 updates. Please provide the link(s) to where it is saying there is a newer update available for Windows.

Garg, Naman 0 Reputation points

2024-05-16T20:37:35.6433333+00:00

Below link suggest to upgrade it to 8.7.0 and you also stated, "Note that curl.exe will be updated by Windows". So, just trying to understand if new window update is released for this remediation. If yes, I need to get KB to validate in my system or manually we can install patch.

https://curl.se/docs/CVE-2024-2398.html?ref=securitricks.ghost.io

Michael Taylor 49,261 Reputation points

2024-05-16T20:46:41.1733333+00:00

There is no Windows update for this. The version of curl shipped with Windows doesn't support HTTP/2, from everything I've read and the various Github issues brought up. Since the vulnerability is specifically for HTTP/2 then Windows is currently not impacted by the CVE.

See Q&A but I haven't confirmed this for myself.

Garg, Naman 0 Reputation points

2024-05-16T20:58:23.3333333+00:00

Michael, I have read the document shared by you initially, but it was not mentioned anywhere that any particular vulnerability related to curl will be remediated by Windows Update....it is simply that window update will upgrade it to latest version of curl (that was 8.4.0).

So, just wanted to understand if there is an option to upgrade Curl to 8.7.0 (either manually or automatically) because curl.exe file is stored in System32 folder and we have minimal access to copy/paste/rename.

Michael Taylor 49,261 Reputation points

2024-05-16T21:13:22.91+00:00

You cannot (and should not) upgrade the version of curl installed with Windows. That version would need to be updated by MS if and when they choose to do so. Even the curl maintainer strongly recommends you do not touch the version that ships with Windows (see link contained in github issue here).

If you absolutely must have a newer version of curl on your machine then the only workaround would be to install curl manually and then use an env var or something to ensure you are using that version of curl instead of the version with Windows. You woul d have to use the full path because Windows will pick off files in system32 first. Note that you should not change system paths to make your custom version of curl load before system32 as that will make things worse.

So your options are either to wait until MS updates it, whenever that may be, or install it manually to some path and then always use the path-ed version when using curl.
Sign in to comment
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Curl HTTP/2 Push Headers Memory-leak Vulnerability

2 answers