Forum Discussion

PalmerEldritch's avatar
PalmerEldritch
Copper Contributor
Apr 21, 2023

Updating curl.exe on Windows servers

Hi all,

 

We've been getting curl.exe coming up as a vulnerability in scans. Looks like this was added to Windows, but isn't really kept updated via MS update... seems like a bad practice. Anyway - what's the recommended way to update the curl.exe? Just manually replace the file with the latest version? Are there any potential issues that could arise from doing this? 

 

Thanks for any help.

  • PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/

     

    The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?

  • Bruce Bading's avatar
    Bruce Bading
    Copper Contributor

    Do not try to update system32/curl.exe or delete it. It will cause issues with the OS including preventing it from updating. Contact Microsoft Security Response Center. This is the first time I have ever seen an OS vendor not update a critical vulnerability in the OS.

    https://msrc.microsoft.com/report/vulnerability

     

    We are giving Microsoft a specific amount of time to address this vulnerability and after a specific amount of time we will contact the CISA here (generally 45 days).

    While the vulnerability has already been verified by the vendor, the problem here is that the vendor Danial Stenberg has released new versions regularly to address vulnerabilities. Microsoft has made it an integral part of the OS and has not kept it updated along with the advisories and Stenberg's patch cadence.

    https://www.kb.cert.org/vuls/report/



  • Alban1998's avatar
    Alban1998
    Iron Contributor
    Hello,
    Update curl.exe like you update all operating system files - by applying monthly cumulative updates (or other hotfixes provided by microsoft). Manually replacing the file will break Windows, don't do it.
  • AndrewT's avatar
    AndrewT
    Iron Contributor

    PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/

     

    The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?

    • mulana's avatar
      mulana
      Icon for Microsoft rankMicrosoft

      Hi,

      We are also seeing this vulnerability present even with the latest update of the Windows Server 2019 Datacenter (version 1809, OS build 17763.6775). Any ideas?

      Thanks!

    • Dalibor_Pribilovic's avatar
      Dalibor_Pribilovic
      Copper Contributor
      Hello,

      Yes we are still experiencing the same issue. Qualys is also detecting this vulnerability still on our Win Server 2022 as a QID 380508 Libcurl Denial of Service (DoS) Vulnerability.

      Does anybody have any advice how to update native windows versions of curl.exe located in:
      %windir%\System32\curl.exe
      %windir%\SysWOW64\curl.exe

      Thank you in advance.

      • MMorgan12's avatar
        MMorgan12
        Copper Contributor

        Dalibor_Pribilovic 

         

        Also seeing this from Qualys scans and wondering if MS will be coming with a patch to update. I have seen a number of negative posts with manually updating this curl.exe causing all types of OS issues. 

    • PalmerEldritch's avatar
      PalmerEldritch
      Copper Contributor
      Thanks - I didn't want to attempt to manually update anything anyway. It just seems like a long time for this to be at a fairly old version. Hopefully MS remembers to keep it updated going forward. Odd that it finally was just in this month's patches. I'll check to see if it gets updated after the April update is applied.

Resources