High severity curl vulnerability: prepare with Microsoft Defender for Cloud

On October 3rd, high severity vulnerabilities in curl were preannounced. The curl project has announced that curl8.4.0 has now been released, earlier than expected. Two vulnerabilities have now been disclosed: high-severity CVE-2023-38545 and low-severity CVE-2023-38546.  

curl is a popular command-line tool and library (libcurl) used to transfer data across protocols using URL syntax. The library is one of the most widely used open-source projects across most operating systems, including Windows and , and is one of the most popular OSS packages present in clients, embedded systems, and cloud-native applications/containers.  

CVE-2023-38545 refers to a heap overflow vulnerability associated with the SOCKS5 proxy handshake in both libcurl and curl. When curl receives a hostname exceeding 255 bytes to relay to a SOCKS5 proxy, it defaults to local name resolution to determine the address before transferring it to the SOCKS5 proxy. A 2020 bug makes this local resolution potentially fail if the SOCKS5 handshake is delayed. As a result, curl might forward the oversized hostname to the intended buffer, triggering a heap overflow.

CVE-2023-38546 pertains to a cookie injection vulnerability in curl_easy_duphandle(), a libcurl function responsible for duplicating easy handles. If cookies are active when an easy handle is duplicated, the resulting duplicate doesn't copy the actual cookies. Instead, it sets the filename to ‘none.' As a consequence, when this duplicated easy handle is later utilized and no source is defined for the cookies, libcurl tries to load them from a file titled ‘none' located on the storage.

What is the impact and how do I identify risk?

As a widely used OSS component in cloud-native applications, curl is very likely present in many resources, including and Container Images. We strongly recommend that you collect an inventory of affected resources to ease the remediation process once the update is released.

Microsoft for Cloud has multiple ways to quickly determine where in your environment you are vulnerable that are covered in this blog.

Method 1: Hunt for all impacted resources using the cloud security explorer

Note: To hunt for impacted resources, first enable CSPM in Microsoft for Cloud and ensure that the agentless scanning, container registry scanning, and agentless discovery for are enabled. For more details on enabling these services, click here for Defender CSPM.

To query the cloud security graph for affected servers: 

  1. Sign in to the Azure portal.
  2. Use the following links to pre-populate Cloud Security Explorer queries:

Figure 1. Cloud security explorer query for Virtual Machines containing vulnerable curl packages.Figure 1. Cloud security explorer query for containing vulnerable curl packages.

To query the cloud security graph for affected container images: 

  1. Sign in to the Azure portal.
  2. Use the following links to pre-populate Cloud Security Explorer queries:

Learn more about cloud security explorer and other Defender CSPM capabilities.

Method 2: Identify VMs where the application installed contains curl using Inventory

Note: To hunt for impacted resources, first enable Defender CSPM or Defender for Servers P1 or P2 in Microsoft Defender for Cloud and ensure that agentless scanning is enabled or that vulnerability scanning with Microsoft Defender Vulnerability Management is enabled. For more details on enabling these services, click here for Defender CSPM and here for Defender for Servers.

  1. Sign in to the Azure portal.
  2. Filter for Installed applications contains curl.
  3. Sort based on the number of unhealthy recommendations.
  4. Remediate the unhealthy recommendations to ensure that your attack surface is reduced.

Figure 2. Filter Inventory for security findings with CVE-2023-38545.Figure 2. Filter Inventory for security findings with CVE-2023-38545.

Method 3: Identify resources containing curl using Azure Resource Graph

  1. Follow the above steps. Within the Inventory blade select Open Query. 
  2. Run the sample queries below.

Figure 3. Open Azure Resource Graph query from Inventory.Figure 3. Open Azure Resource Graph query from Inventory.

Sample query for retrieving running curl: 

| where type == "microsoft.security/softwareinventories"
| where name has "curl"
| extend deviceId = tostring(properties.deviceId),
subscriptionId = tostring(properties.azureSubscriptionId),
osPlatform = tostring(properties.osPlatform),
version = tostring(properties.version),
softwareName = tostring(properties.softwareName),
azureVMId = tostring(properties.azureVmId)
| where not(version has ("8.4"))
| extend vmId = iff(azureVMId has "securityconnectors", split(azureVMId, '/')[10], split(azureVMId, '/')[8])
| extend environment = iff(id has "Microsoft.HybridCompute", "arc", iff(id has "microsoft.security/securityconnectors", "multicloud", "azure"))
| project id, subscriptionId, vmId, softwareName, version, osPlatform, environment

Sample query for retrieving container images with a curl vulnerability:

| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id)
| extend resourceId = tostring(properties.resourceDetails.id)
| extend subAssessmentName=tostring(properties.displayName),
| where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"
| where status == "Unhealthy"
| where subAssessmentId in ("CVE-2023-38545","CVE-2023-38546")
| extend repositoryName = tostring(properties.additionalData.artifactDetails.repositoryName), 
registry = tostring(properties.additionalData.artifactDetails.registryHost)
| distinct repositoryName, registry 

Identify other curl usage patterns

Depending on your use case, it might be worth monitoring certain curl usage patterns. For example, you might have inadvertently hardcoded a curl release for download in a Dockerfile or a CI workflow definition.

For GitHub Repos, you can leverage GitHub Code Search with a query like: (path:.github AND path:.yml) OR (path:Dockerfile) AND (curl.se/download OR github.com/curl/curl/releases) AND (org:).

You might encounter a hardcoded release number in this URL, or a parameter pointing to a hardcoded value. The screenshot below shows both patterns:

Figure 4. Hardcoded curl releaseFigure 4. Hardcoded curl release


  • Lara Goldstein, Product Manager 2
  • Charles Oxyer, Product Manager
  • Jose Miguel Parrella, Principal Architect


This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.