-2

So a vulnerability scanner has revealed that I have a version of CURL that is out of date on basically all of my machines. Environments in question are Windows 10 and Server 2019. From what I can tell it was Windows 10 1804 that first issued it.

To my understanding CURL is a command-line tool for sending data using network protocols. But do I really need it? In what instance would I need to have CURL handy to do things in Windows? I know there's some CLI commands but nobody invokes them here - is there some background thing users don't interact with that needs it in modern versions of Windows? We have two IIS servers (one hosting an internal site and one doing some WSUS stuff) but beyond that I have no leads.

This is the first time such a thing has been reported, so I have never had to question whether or not I need it to begin with. I could patch it, but at the same time I wonder if I'm better off just getting rid of it. Unfortunately I don't know if it's truly needed by Windows or something.

The ITea Guy
  • 321
  • 1
  • 6
  • 16

1 Answers1

1

We can't tell you if your organization needs curl. Curl has been a default component of the Windows operating system for six years.

If there is a vulnerability in curl, it would need to be addressed by the vendor (Microsoft), and as part of the usual and customary monthly cumulative update. Given that this is rated by the vulnerability scanner as only a medium, the chances of this being addressed in a monthly update are low. If it is addressed, it may be in an annual release.

This type of noise is common, if you haven't seen it before you should get accustomed to it if your scanner isn't sophisticated enough to measure the workarounds or compensating controls you will implement.

curl shipped by Microsoft
https://curl.se/windows/microsoft.html

Open Source Curl Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-43552

"Is CVE-2022-43552 going to be addressed in all supported versions of Windows?

"Supported versions of Windows will be updated in a future security release after the March 14, 2023 release. This CVE will be updated when the update is available. Use the Security Update Guide Profile to sign up for automatic notifications."

https://learn.microsoft.com/en-us/answers/questions/1186328/update-curl-7-88-1-windows-server

https://www.tenable.com/plugins/nessus/171859

Greg Askew
  • 35,880
  • 5
  • 54
  • 82