The maintainers of curl have informed us about two vulnerabilities in the software that will be fixed on the 11th of october. CVE-2023-38545 has a high serverity and affects both libcurl and the curl tool. This page can help you identify systems that run curl beforehand, in order for you to take imidiate action if needed. As advised by multiple security organisations your company should create an inventory of all systems that run curl. This can be done by running the following query in Defender For Endpoint.
// List all devices that have curl installed or use curl.
let ProcessBasedDevices = DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has "curl"
| distinct DeviceId, DeviceName;
DeviceTvmSoftwareInventory
| where SoftwareName has "curl"
| extend SubVersion = tolong(substring(SoftwareVersion, 3))
| where SubVersion < 8.4
| join kind=fullouter ProcessBasedDevices on DeviceId
| extend Method = iff(isempty(SoftwareVersion), "Process", "Software Inventory")
| extend CombinedName = iff(isempty(DeviceName), DeviceName1, DeviceName)
| extend CombinedId = iff(isempty(DeviceId), DeviceId1, DeviceId)
| project CombinedId, CombinedName, Method, SoftwareName, SoftwareVersion, SoftwareVendor
// To only list unique devices (evidence is then not included)
//| distinct CombinedId, CombinedName
// List devices that have not been patched yet.
// This query will only show results after MDE has indexed the vulnerable devices, thus no results are expected before the 11th of October.
DeviceTvmSoftwareVulnerabilities
| where CveId in ('CVE-2023-38545', 'CVE-2023-38546')
// If you only want to filer on the High CVE-2023-38545 use:
// | where CveId == 'CVE-2023-38545'
| project DeviceId, DeviceName, SoftwareName, SoftwareVersion, SoftwareVendor
- https://www.rezilion.com/blog/cve-2023-38545-a-high-severity-curl-and-libcurl-cve-to-be-published-on-october-11th/
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/05/curl-8-4-0-proactively-identifying-potential-vulnerable-assets
- https://www.docker.com/blog/security-advisory-high-severity-curl-vulnerability/