CVE-2023-38039: Hackerone: CVE-2023-38039 HTTP headers eat all memory

Overview

Severity

N/A

Category

Denial of Service

Exploit Status

Not Exploited

Publicly Disclosed

Yes

Patch Tuesday

2023-Oct

Released

2023-10-19

Last Updated

2023-11-14

EPSS Score

12.31% (percentile: 93.9%)

FAQ

1. When will an update be available to address this vulnerability? Microsoft is fully aware of this issue and is actively working to release version 8.4.0 of curl.exe in a future Windows update for currently supported, on-premise versions of Windows clients and servers. The Security Updates table for this CVE will be updated with the Windows update KB numbers for all supported versions as they are released. Customers will be notified via a revision to this security vulnerability when those KB numbers are available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications and Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center. 2. What is the curl open-source project? Curl is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client for URL". The Windows implementation provides access to the command-line tool, not the library. 3. Why is this Hackerone CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in curl.exe software which is consumed by Microsoft Windows. It is being documented in the Security Update Guide to make customers aware that Microsoft Windows is affected by this CVE, and that Microsoft will be including the curl fix for this vulnerability in a future Windows security update. Note that we do not provide CVSS scores for non-Microsoft CVEs. See NVD for scoring information on this CVE. 4. How could an attacker exploit the vulnerability? To exploit this vulnerability, an attacker would have to convince the victim to manually launch the curl utility and direct it to connect to a compromised server. This causes a denial of service of curl. For more information see HTTP headers eat al

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 1 repositories

Affected Products (21)

Windows

• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 11 version 21H2 for x64-based Systems
• Windows 11 version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems

Mariner

• CBL Mariner 2.0 ARM
• CBL Mariner 2.0 x64

Security Updates (5)

• 5032196
• 5032198
• 5032192
• 5032189
• 5032190

Acknowledgments

HackerOne with <a href="https://www.hackerone.com/">HackerOne</a>, Anonymous

Revision History

• 2023-10-19: Information published.
• 2023-10-20: Updated FAQ #4 and corrected one or more links in the FAQs. These are informational changes only.
• 2023-11-14: Microsoft is announcing that the Windows security updates released on November 14, 2023 include curl 8.4.0, which addresses this vulnerability. Microsoft recommends that customers install the November 14, 2023 updates to ensure they have the most up-to-date version of curl. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action.