Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: CVE-2024-7264
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Zac Todd via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 31 Jan 2025 11:24:50 +1100
On Wed, Jan 29, 2025 at 6:15 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
> You don't mention what OS you're on, nor where (inside which product)
> CrowdStrike identified this vulnerability.
> Your mention of 'dll' and the reddit link however makes me draw two
> conclusions: this is on Windows, this "warning" is not about the bundled
> curl.exe ?
I didn't think it was terribly relevant, I was more after specifics on the CVE.
CrowdStrike is flagging this in our Windows 10 & 11 endpoints Windows
Server 2016 & 2019 and a single M2 Macbook. CS shows it is looking at
libcurl.dll in a variety of programs, namely: Datto Windows Agent,
FortiClient VPN, Microsoft Power Bi Desktop, Microsoft SQL Server
Management Studio 18 & 19, Tecom CTPlus, Microsoft SQL Server, Ceiba2,
SmartPSS, HP Device Manager and a couple of others.
> If the specific dll it warns about was not shipped by the curl project, you
> are better off asking the team that built and shipped it. If you have the same
> version that was mentioned in the reddit post of yours, it is part of a
> Microsoft application install and then you need to contact Microsoft support.
>
> The reddit page might imply that the libcurl actually comes from a "Salesforce
> ODBC Driver" for office? If so, then the manufaturer of that thing is
> responsible.
All our Windows 10 & 11 Devices will have the libcurl file from the
Microsoft application mentioned in the reddit post. This libcurl is
version 8.7.0, which is within the affected versions as per the curl
web page you already mentioned. This doesn't show as vulnerable in CS
though, so I am unsure if it is vulnerable or if CS is missing a bunch
of potential vulnerabilities.
> > Is simply having the affected version of the libcurl.dll file enough to make
> > a computer vulnerable or does it also require the specific backend before it
> > is a problem?
> First: your computer is probably not vulnerable at all. This is a warning from
> software that profits from warning about things it knows very little about.
> And if it is right, which occationally happens, the one entity that can fix
> this is the package that ships the vulnerable libcurl: they can just build a
> fixed version and ship that instead.
I understand they should release the fixed version, but I would prefer
not to wait an undetermined amount of time for a potential
vulnerability to be fixed on my network.
I would like to follow the advice in the reddit post, deleting the
affected versions of the libcurl.dll (after testing that there are no
undesired side effects) in at least the Microsoft application, but
ideally all of them until a fix is provided by the vendor.
> > If it does require a specific backend, how can I determine if that backend
> > is being used in order to remediate the threats?
> Ask your support person for the software deemed vulnerable. If you want to
> investigate it yourself you can of course dissect the dll and probably figure
> out. I think there's a fair chance they use Schannel on Windows.
I can likely figure out how to dissect a dll or two and verify if it
is using Schannel.
Is the libcurl.dll file being within the affected version range enough
for it to be potentially vulnerable or does it require it to be using
Schannel or one of the other three listed affected backends?
I did not expect the head of the Curl project to respond to this,
thanks for your time and I apologise for my ignorance in this area.
Date: Fri, 31 Jan 2025 11:24:50 +1100
On Wed, Jan 29, 2025 at 6:15 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
> You don't mention what OS you're on, nor where (inside which product)
> CrowdStrike identified this vulnerability.
> Your mention of 'dll' and the reddit link however makes me draw two
> conclusions: this is on Windows, this "warning" is not about the bundled
> curl.exe ?
I didn't think it was terribly relevant, I was more after specifics on the CVE.
CrowdStrike is flagging this in our Windows 10 & 11 endpoints Windows
Server 2016 & 2019 and a single M2 Macbook. CS shows it is looking at
libcurl.dll in a variety of programs, namely: Datto Windows Agent,
FortiClient VPN, Microsoft Power Bi Desktop, Microsoft SQL Server
Management Studio 18 & 19, Tecom CTPlus, Microsoft SQL Server, Ceiba2,
SmartPSS, HP Device Manager and a couple of others.
> If the specific dll it warns about was not shipped by the curl project, you
> are better off asking the team that built and shipped it. If you have the same
> version that was mentioned in the reddit post of yours, it is part of a
> Microsoft application install and then you need to contact Microsoft support.
>
> The reddit page might imply that the libcurl actually comes from a "Salesforce
> ODBC Driver" for office? If so, then the manufaturer of that thing is
> responsible.
All our Windows 10 & 11 Devices will have the libcurl file from the
Microsoft application mentioned in the reddit post. This libcurl is
version 8.7.0, which is within the affected versions as per the curl
web page you already mentioned. This doesn't show as vulnerable in CS
though, so I am unsure if it is vulnerable or if CS is missing a bunch
of potential vulnerabilities.
> > Is simply having the affected version of the libcurl.dll file enough to make
> > a computer vulnerable or does it also require the specific backend before it
> > is a problem?
> First: your computer is probably not vulnerable at all. This is a warning from
> software that profits from warning about things it knows very little about.
> And if it is right, which occationally happens, the one entity that can fix
> this is the package that ships the vulnerable libcurl: they can just build a
> fixed version and ship that instead.
I understand they should release the fixed version, but I would prefer
not to wait an undetermined amount of time for a potential
vulnerability to be fixed on my network.
I would like to follow the advice in the reddit post, deleting the
affected versions of the libcurl.dll (after testing that there are no
undesired side effects) in at least the Microsoft application, but
ideally all of them until a fix is provided by the vendor.
> > If it does require a specific backend, how can I determine if that backend
> > is being used in order to remediate the threats?
> Ask your support person for the software deemed vulnerable. If you want to
> investigate it yourself you can of course dissect the dll and probably figure
> out. I think there's a fair chance they use Schannel on Windows.
I can likely figure out how to dissect a dll or two and verify if it
is using Schannel.
Is the libcurl.dll file being within the affected version range enough
for it to be potentially vulnerable or does it require it to be using
Schannel or one of the other three listed affected backends?
I did not expect the head of the Curl project to respond to this,
thanks for your time and I apologise for my ignorance in this area.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-01-31