Forum Discussion
PalmerEldritch
Apr 21, 2023Copper Contributor
Updating curl.exe on Windows servers
Hi all,
We've been getting curl.exe coming up as a vulnerability in scans. Looks like this was added to Windows, but isn't really kept updated via MS update... seems like a bad practice. Anyway - what's the recommended way to update the curl.exe? Just manually replace the file with the latest version? Are there any potential issues that could arise from doing this?
Thanks for any help.
PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/
The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?
- Bruce BadingCopper Contributor
Do not try to update system32/curl.exe or delete it. It will cause issues with the OS including preventing it from updating. Contact Microsoft Security Response Center. This is the first time I have ever seen an OS vendor not update a critical vulnerability in the OS.
https://msrc.microsoft.com/report/vulnerabilityWe are giving Microsoft a specific amount of time to address this vulnerability and after a specific amount of time we will contact the CISA here (generally 45 days).
While the vulnerability has already been verified by the vendor, the problem here is that the vendor Danial Stenberg has released new versions regularly to address vulnerabilities. Microsoft has made it an integral part of the OS and has not kept it updated along with the advisories and Stenberg's patch cadence.
https://www.kb.cert.org/vuls/report/ - Alban1998Iron ContributorHello,
Update curl.exe like you update all operating system files - by applying monthly cumulative updates (or other hotfixes provided by microsoft). Manually replacing the file will break Windows, don't do it. - AndrewTIron Contributor
PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/
The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?
- mulana
Microsoft
Hi,
We are also seeing this vulnerability present even with the latest update of the Windows Server 2019 Datacenter (version 1809, OS build 17763.6775). Any ideas?
Thanks! - Dalibor_PribilovicCopper ContributorHello,
Yes we are still experiencing the same issue. Qualys is also detecting this vulnerability still on our Win Server 2022 as a QID 380508 Libcurl Denial of Service (DoS) Vulnerability.
Does anybody have any advice how to update native windows versions of curl.exe located in:
%windir%\System32\curl.exe
%windir%\SysWOW64\curl.exe
Thank you in advance.- MMorgan12Copper Contributor
Also seeing this from Qualys scans and wondering if MS will be coming with a patch to update. I have seen a number of negative posts with manually updating this curl.exe causing all types of OS issues.
- PalmerEldritchCopper ContributorThanks - I didn't want to attempt to manually update anything anyway. It just seems like a long time for this to be at a fairly old version. Hopefully MS remembers to keep it updated going forward. Odd that it finally was just in this month's patches. I'll check to see if it gets updated after the April update is applied.