Informational

Advisory: curl high severity vulnerability

CVE(N)

CVE-2023-38545

PRODUKT(E)

Cloud Optix

Sophos Endpoint

SafeGuard Enterprise (SGN)

Sophos Central

Sophos Connect Client 2.0

Sophos Email

Sophos Firewall

Sophos Home

Sophos Mobile

Sophos Mobile EAS Proxy

Sophos RED

Sophos Switch

Sophos UTM

Sophos Wireless

Sophos ZTNA

SophosLabs Intelix

Aktualisiert

2023 Oct 23

Artikelversion

Erstellt

2023 Oct 23

Veröffentlichungs-ID

sophos-sa-20231023-curl-vuln

Workaround

Overview

On Wednesday October 11, 2023, the curl project released version 8.4.0 containing a fix for a high severity vulnerability.

Curl is both a library and command line utility for making arbitrary web requests and is used by a very large number of applications. The vulnerability primarily affects the libcurl library, whereas the curl tool is only affected when the user sets certain options related to rate limiting.

Libcurl is a very versatile networking library. As a result, a very large number of applications are potentially affected by this vulnerability.

Patches for curl

The fix is included in version 8.4.0 and newer versions, and can be downloaded here: https://curl.se/download.html

The code change of the fix can be reviewed here: https://github.com/curl/curl/commit/fb4415d8aee6c1

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or Service	Status	Description
Cloud Optix	Not affected	Vulnerable code cannot be controlled by adversary
PureMessage Exchange	Not affected	Component not present
PureMessage Unix	Not affected	Component not present
SafeGuard Enterprise (SGN)	Not affected	Vulnerable code not present
SG UTM (all versions)	Not affected	Vulnerable code not present
Sophos Central	Not affected	Vulnerable code cannot be controlled by adversary
Sophos Endpoint protection (Windows)	Not affected	Component not present
Sophos Endpoint protection (macOS)	Not affected	Component not present
Sophos Endpoint protection (Linux)	Not affected	Vulnerable code cannot be controlled by adversary
Sophos Email	Not affected	Vulnerable code not present
Sophos Enterprise Console (SEC)	Not affected	Component not present
Sophos Firewall (all versions)	Not affected	Vulnerable code not in execute path
SophosConnect client	Not affected	Component not present
Sophos Home (Windows)	Not affected	Component not present
Sophos Home (macOS)	Not affected	Component not present
Sophos Mobile	Not affected	Component not present
Sophos Mobile EAS Proxy	Not affected	Component not present
Sophos Mobile Control app (iOS + Android)	Not affected	Component not present
Sophos Intercept X for Mobile app (iOS + Android)	Not affected	Vulnerable code not in execute path
Sophos Secure Email app (iOS + Android)	Not affected	Component not present
Sophos Secure Workspace app (iOS + Android)	Not affected	Component not present
Sophos Chrome Security	Not affected	Component not present
Sophos PhishThreat	Not affected	Vulnerable code not present
Sophos RED	Not affected	Vulnerable code not in execute path
Sophos AP/APX	Not affected	Vulnerable code not in execute path
Sophos Wireless	Not affected	Vulnerable code not in execute path
Sophos Switch	Not affected	Vulnerable code not in execute path
Sophos Central Managed APX	Not affected	Vulnerable code not in execute path
SAV DI	Not affected	Vulnerable code not in execute path
SUSI	Affected	Fix in SUSI v2.4 (expected in CQ4)
AV Engine (all platforms)	Not affected	Vulnerable code cannot be controlled by adversary

Related Information

Sophos Responsible Disclosure Policy

To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.