On Wed, 29 Jan 2025, Zac Todd via curl-library wrote:
I've recently had CVE-2024-7264 popping up in CrowdStrike as an open vulnerability, for a little context I have had very little to do with this curl stuff.
You don't mention what OS you're on, nor where (inside which product) CrowdStrike identified this vulnerability.
Your mention of 'dll' and the reddit link however makes me draw two conclusions: this is on Windows, this "warning" is not about the bundled curl.exe ?
If the specific dll it warns about was not shipped by the curl project, you are better off asking the team that built and shipped it. If you have the same version that was mentioned in the reddit post of yours, it is part of a Microsoft application install and then you need to contact Microsoft support.
The reddit page might imply that the libcurl actually comes from a "Salesforce ODBC Driver" for office? If so, then the manufaturer of that thing is responsible.
Is simply having the affected version of the libcurl.dll file enough to make a computer vulnerable or does it also require the specific backend before it is a problem?
First: your computer is probably not vulnerable at all. This is a warning from software that profits from warning about things it knows very little about. And if it is right, which occationally happens, the one entity that can fix this is the package that ships the vulnerable libcurl: they can just build a fixed version and ship that instead.
We announced the fix at the same time we announced that CVE, and all the details are at https://curl.se/docs/CVE-2024-7264.html So there has been a fix available for about six months.
What is kind of ironic here, is that Windows itself ships curl.exe 8.9.1, which does not contain this problem.
If it does require a specific backend, how can I determine if that backend is being used in order to remediate the threats?
Ask your support person for the software deemed vulnerable. If you want to investigate it yourself you can of course dissect the dll and probably figure out. I think there's a fair chance they use Schannel on Windows.
The curl project ships releases as tarballs. We release source code archives. Most most applications (that are not Linux) build their own curl/libcurl and bundle that with their software. Like in this case. This means that no one else than the orignal distributor can update and provide libcurl in the same way. They can and should get an updated version from us, then ship an update of their software.
I offer commercial support to companies to help them with things like this. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
