CVE-2023-38545: Hackerone: CVE-2023-38545 SOCKS5 heap buffer overflow

Overview

Severity

N/A

Category

Remote Code Execution

Exploit Status

Not Exploited

Publicly Disclosed

Yes

Patch Tuesday

2023-Oct

Released

2023-10-19

Last Updated

2024-07-09

EPSS Score

26.25% (percentile: 96.3%)

FAQ

1. When will an update be available to address this vulnerability? UPDATE: Microsoft has included version 8.4.0 of curl.exe in Windows updates released on November 14, 2023 for currently supported, on-premise versions of Windows clients and servers. See the Security Updates table in this CVE for the applicable Windows update KB numbers. Windows security updates are cumulative, so future updates will include curl 8.4.0 or higher. Microsoft is fully aware of this issue and is actively working to release version 8.4.0 of curl.exe in a future Windows update for currently supported, on-premise versions of Windows clients and servers. The Security Updates table for this CVE will be updated with the Windows update KB numbers for all supported versions as they are released. Customers will be notified via a revision to this security vulnerability when those KB numbers are available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications and Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center. 2. What is the curl open-source project? Curl is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client for URL". The Windows implementation provides access to the command-line tool, not the library. 3. Why is this Hackerone CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in curl.exe software which is consumed by Microsoft Windows. It is being documented in the Security Update Guide to make customers aware that Microsoft Windows is affected by this CVE, and that Microsoft will be including the curl fix for this vulnerability in a future Windows security update. Note that we do not provide CVSS scores for

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 9 repositories

Affected Products (25)

Microsoft Office

• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions

Windows

• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 11 version 21H2 for x64-based Systems
• Windows 11 version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems

Security Updates (5)

• 5032196
• 5032198
• 5032192
• 5032189
• 5032190

Acknowledgments

Michael Scovetta of Microsoft Customer Security And Trust Engineering Team

Revision History

• 2023-10-19: Information published.
• 2023-10-20: Updated FAQ #4 information. This is an informational change only.
• 2023-11-14: Microsoft is announcing that the Windows security updates released on November 14, 2023 include curl 8.4.0, which addresses this vulnerability. Microsoft recommends that customers install the November 14, 2023 updates to ensure they have the most up-to-date version of curl. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action.
• 2024-07-09: Microsoft is announcing that the security updates for the following supported versions of Microsoft Office include curl 8.4.0, which addresses this vulnerability: Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, and Microsoft Office 2019.