L
Lara_Goldstein
On October 2nd, high severity vulnerabilities in curl were preannounced. The curl project has announced that curl8.4.0 will be released on October 11th, earlier than expected. While the vulnerabilities have yet to be disclosed, it is expected that two vulnerabilities will be released: high-severity CVE-2023-38545 and low-severity CVE-2023-38546.
curl is a popular command-line tool and library (libcurl) used to transfer data across network protocols using URL syntax. The library is one of the most widely used open-source projects across most operating systems, including Windows and Linux, and is one of the most popular OSS packages present in clients, embedded systems, and cloud-native applications/containers.
Explicit details on the vulnerabilities, such as vectors and impacted versions, have not been disclosed at this time. We will update this blog post once the details are available after October 11th with further guidance. However, we encourage customers to prepare ahead of time by understanding where and how in their environments they are using curl.
What is the impact and how do I identify risk?
As a widely used OSS component in cloud-native applications, curl is very likely present in many resources, including Virtual Machines and Container Images. We strongly recommend that you collect an inventory of affected resources to ease the remediation process once the update is released.
Microsoft Defender for Cloud has multiple ways to quickly determine where in your environment you are vulnerable that are covered in this blog.
Method 1: Hunt for all impacted resources using the cloud security explorer
Note: To hunt for impacted resources, first enable Defender CSPM in Microsoft Defender for Cloud and ensure that the agentless scanning, container registry scanning, and agentless discovery for Kubernetes are enabled. For more details on enabling these services, click here for Defender CSPM.
To query the cloud security graph for affected servers:
Figure 1. Cloud security explorer query for Virtual Machines containing vulnerable curl packages.
To query the cloud security graph for affected container images:
Since this query looks for a subset of previous curl vulnerabilities to identify images with curl, it is possible that not all affected container images will be represented here.
Learn more about cloud security explorer and other Defender CSPM capabilities.
Method 2: Identify VMs where the application installed contains curl using Inventory
Note: To hunt for impacted resources, first enable Defender CSPM or Defender for Servers P1 or P2 in Microsoft Defender for Cloud and ensure that agentless scanning is enabled or that vulnerability scanning with Microsoft Defender Vulnerability Management is enabled. For more details on enabling these services, click here for Defender CSPM and here for Defender for Servers.
Figure 2. Filter Inventory for installed curl applications.
Method 3: Identify resources containing curl using Azure Resource Graph
Figure 3. Open Azure Resource Graph query from Inventory.
Sample query for retrieving virtual machines running curl:
securityresources
| where type == "microsoft.security/softwareinventories"
| where name has "curl"
| extend deviceId = tostring(properties.deviceId),
subscriptionId = tostring(properties.azureSubscriptionId),
osPlatform = tostring(properties.osPlatform),
version = tostring(properties.version),
softwareName = tostring(properties.softwareName),
azureVMId = tostring(properties.azureVmId)
| extend vmId = iff(azureVMId has "securityconnectors", split(azureVMId, '/')[10], split(azureVMId, '/')[8])
| extend environment = iff(id has "Microsoft.HybridCompute", "arc", iff(id has "microsoft.security/securityconnectors", "multicloud", "azure"))
| project id, subscriptionId, vmId, softwareName, version, osPlatform, environment
Sample query for retrieving container images with a curl vulnerability:
securityresources
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id)
| extend resourceId = tostring(properties.resourceDetails.id)
| extend subAssessmentName=tostring(properties.displayName),
subAssessmentDescription=tostring(properties.description),
subAssessmentRemediation=tostring(properties.remediation),
severity=tostring(properties.status.severity),
status=tostring(properties.status.code),
cause=tostring(properties.status.cause),
statusDescription=tostring(properties.status.description),
additionalData=tostring(properties.additionalData)
| where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"
| where status == "Unhealthy"
| where subAssessmentId in ("CVE-2017-8816", "CVE-2018-1000120", "CVE-2021-22924", "CVE-2022-42916", "CVE-2016-5421", "CVE-2018-16840", "CVE-2022-32221", "CVE-2017-7407", "CVE-2015-3143", "CVE-2018-1000121", "CVE-2019-5435", "CVE-2017-1000101", "CVE-2023-27536", "CVE-2022-27776", "CVE-2017-1000254", "CVE-2016-0755", "CVE-2023-23914", "CVE-2015-3145", "CVE-2014-3707", "CVE-2017-8818", "CVE-2022-42915", "CVE-2017-1000257", "CVE-2018-16839", "CVE-2019-3822", "CVE-2021-22890", "CVE-2022-27779", "CVE-2022-30115", "CVE-2021-22898", "CVE-2014-0138", "CVE-2019-3823", "CVE-2020-8284", "CVE-2019-5436", "CVE-2022-27782", "CVE-2023-27538", "CVE-2018-0500", "CVE-2021-22946","CVE-2014-0139", "CVE-2020-8231", "CVE-2022-43552", "CVE-2021-22901", "CVE-2022-27780", "CVE-2020-8169", "CVE-2018-16890", "CVE-2018-14618", "CVE-2015-3144", "CVE-2022-32207", "CVE-2023-27533", "CVE-2022-32205", "CVE-2023-23916", "CVE-2022-43551", "CVE-2017-8817", "CVE-2022-27774", "CVE-2021-22947", "CVE-2013-4545", "CVE-2022-27775", "CVE-2022-27778", "CVE-2020-8177", "CVE-2022-32206", "CVE-2023-27535", "CVE-2017-1000100", "CVE-2019-5482", "CVE-2021-22945", "CVE-2013-2174", "CVE-2022-22576", "CVE-2021-22876", "CVE-2014-8150", "CVE-2022-35260", "CVE-2018-1000122", "CVE-2021-22925", "CVE-2018-16842")
| extend repositoryName = tostring(properties.additionalData.artifactDetails.repositoryName),
registry = tostring(properties.additionalData.artifactDetails.registryHost)
| distinct repositoryName, registry
Identify other curl usage patterns
Depending on your use case, it might be worth monitoring certain curl usage patterns. For example, you might have inadvertently hardcoded a curl release for download in a Dockerfile or a CI workflow definition.
For GitHub Repos, you can leverage GitHub Code Search with a query like: (path:.github AND path:.yml) OR (path
ockerfile) AND (curl.se/download OR github.com/curl/curl/releases) AND (org:<your org>).
You might encounter a hardcoded release number in this URL, or a parameter pointing to a hardcoded value. The screenshot below shows both patterns:
Figure 4. Hardcoded curl release
Next steps
We will continue to share updates to this blog post as more details become available.
Authors
Continue reading...
curl is a popular command-line tool and library (libcurl) used to transfer data across network protocols using URL syntax. The library is one of the most widely used open-source projects across most operating systems, including Windows and Linux, and is one of the most popular OSS packages present in clients, embedded systems, and cloud-native applications/containers.
Explicit details on the vulnerabilities, such as vectors and impacted versions, have not been disclosed at this time. We will update this blog post once the details are available after October 11th with further guidance. However, we encourage customers to prepare ahead of time by understanding where and how in their environments they are using curl.
What is the impact and how do I identify risk?
As a widely used OSS component in cloud-native applications, curl is very likely present in many resources, including Virtual Machines and Container Images. We strongly recommend that you collect an inventory of affected resources to ease the remediation process once the update is released.
Microsoft Defender for Cloud has multiple ways to quickly determine where in your environment you are vulnerable that are covered in this blog.
Method 1: Hunt for all impacted resources using the cloud security explorer
Note: To hunt for impacted resources, first enable Defender CSPM in Microsoft Defender for Cloud and ensure that the agentless scanning, container registry scanning, and agentless discovery for Kubernetes are enabled. For more details on enabling these services, click here for Defender CSPM.
To query the cloud security graph for affected servers:
- Sign in to the Azure portal.
- Use the following links to pre-populate Cloud Security Explorer queries:
Figure 1. Cloud security explorer query for Virtual Machines containing vulnerable curl packages.To query the cloud security graph for affected container images:
- Sign in to the Azure portal.
- Use the following links to pre-populate Cloud Security Explorer queries:
- Container Images with Previous curl Vulnerability
- Container Images with Previous curl Vulnerability that are running as containers
- Container Images with Previous curl Vulnerability that are running as Privileged Containers
- Container Images with Previous curl Vulnerability that are running on Pods with Internet Exposure
Since this query looks for a subset of previous curl vulnerabilities to identify images with curl, it is possible that not all affected container images will be represented here.
Learn more about cloud security explorer and other Defender CSPM capabilities.
Method 2: Identify VMs where the application installed contains curl using Inventory
Note: To hunt for impacted resources, first enable Defender CSPM or Defender for Servers P1 or P2 in Microsoft Defender for Cloud and ensure that agentless scanning is enabled or that vulnerability scanning with Microsoft Defender Vulnerability Management is enabled. For more details on enabling these services, click here for Defender CSPM and here for Defender for Servers.
- Sign in to the Azure portal.
- Filter for Installed applications contains curl.
- Sort based on the number of unhealthy recommendations.
- Remediate the unhealthy recommendations to ensure that your attack surface is reduced.
Figure 2. Filter Inventory for installed curl applications.Method 3: Identify resources containing curl using Azure Resource Graph
- Follow the above steps. Within the Inventory blade select Open Query.
- Run the sample queries below.
Figure 3. Open Azure Resource Graph query from Inventory.Sample query for retrieving virtual machines running curl:
securityresources
| where type == "microsoft.security/softwareinventories"
| where name has "curl"
| extend deviceId = tostring(properties.deviceId),
subscriptionId = tostring(properties.azureSubscriptionId),
osPlatform = tostring(properties.osPlatform),
version = tostring(properties.version),
softwareName = tostring(properties.softwareName),
azureVMId = tostring(properties.azureVmId)
| extend vmId = iff(azureVMId has "securityconnectors", split(azureVMId, '/')[10], split(azureVMId, '/')[8])
| extend environment = iff(id has "Microsoft.HybridCompute", "arc", iff(id has "microsoft.security/securityconnectors", "multicloud", "azure"))
| project id, subscriptionId, vmId, softwareName, version, osPlatform, environment
Sample query for retrieving container images with a curl vulnerability:
securityresources
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id)
| extend resourceId = tostring(properties.resourceDetails.id)
| extend subAssessmentName=tostring(properties.displayName),
subAssessmentDescription=tostring(properties.description),
subAssessmentRemediation=tostring(properties.remediation),
severity=tostring(properties.status.severity),
status=tostring(properties.status.code),
cause=tostring(properties.status.cause),
statusDescription=tostring(properties.status.description),
additionalData=tostring(properties.additionalData)
| where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"
| where status == "Unhealthy"
| where subAssessmentId in ("CVE-2017-8816", "CVE-2018-1000120", "CVE-2021-22924", "CVE-2022-42916", "CVE-2016-5421", "CVE-2018-16840", "CVE-2022-32221", "CVE-2017-7407", "CVE-2015-3143", "CVE-2018-1000121", "CVE-2019-5435", "CVE-2017-1000101", "CVE-2023-27536", "CVE-2022-27776", "CVE-2017-1000254", "CVE-2016-0755", "CVE-2023-23914", "CVE-2015-3145", "CVE-2014-3707", "CVE-2017-8818", "CVE-2022-42915", "CVE-2017-1000257", "CVE-2018-16839", "CVE-2019-3822", "CVE-2021-22890", "CVE-2022-27779", "CVE-2022-30115", "CVE-2021-22898", "CVE-2014-0138", "CVE-2019-3823", "CVE-2020-8284", "CVE-2019-5436", "CVE-2022-27782", "CVE-2023-27538", "CVE-2018-0500", "CVE-2021-22946","CVE-2014-0139", "CVE-2020-8231", "CVE-2022-43552", "CVE-2021-22901", "CVE-2022-27780", "CVE-2020-8169", "CVE-2018-16890", "CVE-2018-14618", "CVE-2015-3144", "CVE-2022-32207", "CVE-2023-27533", "CVE-2022-32205", "CVE-2023-23916", "CVE-2022-43551", "CVE-2017-8817", "CVE-2022-27774", "CVE-2021-22947", "CVE-2013-4545", "CVE-2022-27775", "CVE-2022-27778", "CVE-2020-8177", "CVE-2022-32206", "CVE-2023-27535", "CVE-2017-1000100", "CVE-2019-5482", "CVE-2021-22945", "CVE-2013-2174", "CVE-2022-22576", "CVE-2021-22876", "CVE-2014-8150", "CVE-2022-35260", "CVE-2018-1000122", "CVE-2021-22925", "CVE-2018-16842")
| extend repositoryName = tostring(properties.additionalData.artifactDetails.repositoryName),
registry = tostring(properties.additionalData.artifactDetails.registryHost)
| distinct repositoryName, registry
Identify other curl usage patterns
Depending on your use case, it might be worth monitoring certain curl usage patterns. For example, you might have inadvertently hardcoded a curl release for download in a Dockerfile or a CI workflow definition.
For GitHub Repos, you can leverage GitHub Code Search with a query like: (path:.github AND path:.yml) OR (path
ockerfile) AND (curl.se/download OR github.com/curl/curl/releases) AND (org:<your org>).You might encounter a hardcoded release number in this URL, or a parameter pointing to a hardcoded value. The screenshot below shows both patterns:
Figure 4. Hardcoded curl releaseNext steps
We will continue to share updates to this blog post as more details become available.
Authors
- Lara Goldstein, Product Manager 2
- Charles Oxyer, Product Manager
- Jose Miguel Parrella, Principal Architect
Continue reading...