Advisory: curl high severity vulnerability

Sophos Security Advisory

Advisory: curl high severity vulnerability
MoritzGrimm

Summary

Overview

On Wednesday October 11, 2023, the curl project released version 8.4.0 containing a fix for a high severity vulnerability.

Curl is both a library and command line utility for making arbitrary web requests and is used by a very large number of applications. The vulnerability primarily affects the libcurl library, whereas the curl tool is only affected when the user sets certain options related to rate limiting.

Libcurl is a very versatile networking library. As a result, a very large number of applications are potentially affected by this vulnerability.

Patches for curl

The fix is included in version 8.4.0 and newer versions, and can be downloaded here: https://curl.se/download.html

The code change of the fix can be reviewed here: https://github.com/curl/curl/commit/fb4415d8aee6c1

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or ServiceStatusDescription
Cloud OptixNot affectedVulnerable code cannot be controlled by adversary
PureMessage ExchangeNot affectedComponent not present
PureMessage UnixNot affectedComponent not present
SafeGuard Enterprise (SGN)Not affectedVulnerable code not present
SG UTM (all versions)Not affectedVulnerable code not present
Sophos CentralNot affectedVulnerable code cannot be controlled by adversary
Sophos Endpoint protection (Windows)Not affectedComponent not present
Sophos Endpoint protection (macOS)Not affectedComponent not present
Sophos Endpoint protection (Linux)Not affectedVulnerable code cannot be controlled by adversary
Sophos EmailNot affectedVulnerable code not present
Sophos Enterprise Console (SEC)Not affectedComponent not present
Sophos Firewall (all versions)Not affectedVulnerable code not in execute path
SophosConnect clientNot affectedComponent not present
Sophos Home (Windows)Not affectedComponent not present
Sophos Home (macOS)Not affectedComponent not present
Sophos MobileNot affectedComponent not present
Sophos Mobile EAS ProxyNot affectedComponent not present
Sophos Mobile Control app (iOS + Android)Not affectedComponent not present
Sophos Intercept X for Mobile app (iOS + Android)Not affectedVulnerable code not in execute path
Sophos Secure Email app (iOS + Android)Not affectedComponent not present
Sophos Secure Workspace app (iOS + Android)Not affectedComponent not present
Sophos Chrome SecurityNot affectedComponent not present
Sophos PhishThreatUnder Investigation
Sophos REDNot affectedVulnerable code not in execute path
Sophos AP/APXNot affectedVulnerable code not in execute path
Sophos WirelessNot affectedVulnerable code not in execute path
Sophos SwitchNot affectedVulnerable code not in execute path
Sophos Central Managed APXNot affectedVulnerable code not in execute path
SAV DINot affectedVulnerable code not in execute path
SUSIAffectedFix in SUSI v2.4 (expected in CQ4)
AV Engine (all platforms)Not affectedVulnerable code cannot be controlled by adversary

Other products and services

Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.

Severity
Informational
First Published
Updated
Publication ID
sophos-sa-20231023-curl-vuln
Workaround
No
Cloud Optix
Intercept X Endpoint
Intercept X for Server
SafeGuard Enterprise (SGN)
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos Switch
Sophos UTM
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
CVE-2023-38545
Article Version
1

READ MORE