Community
    • Login

    libcurl.dll and CVE-2023-32001

    Scheduled Pinned Locked Moved Security
    4 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Peter FellP
      Peter Fell
      last edited by Peter Fell

      One of our Windows 2019 servers has Notepad++ installed and has been flagged as having a vulnerability, namely CVE-2023-32001 relating to libcurl.dll. I checked the server and the only instance of that file I could find was in “C:\Program Files\Notepad++\updater” and the file version is 7.79.1.0. I just updated Notepad+ to the latest release 8.5.4 to see if the file would be updated but it didn’t. Will that file eventually get updated at some point or is there any issues if I remove it or remove the automatic updater service assuming that is possible?

      Peter

      PeterJonesP mkupperM 2 Replies Last reply Reply Quote 1
      • PeterJonesP
        PeterJones @Peter Fell
        last edited by

        @Peter-Fell said in libcurl.dll and CVE-2023-32001:

        Will that file eventually get updated at some point or is there any issues if I remove it or remove the automatic updater service assuming that is possible?

        I checked for issues regarding that CVE or searching for “libcurl” in the issues. It looks like someone reported libcurl 7.79.1 here and then was asked to re-report it in the wingup repo.

        The developer self-assigned the issue, but may have forgotten about it. I will ping that issue.

        or is there any issues if I remove it or remove the automatic updater service assuming that is possible?

        Notepad++ won’t be able to auto-update. Other than that, no issues that I’m aware of. So if you’re worried until libcurl gets updated, you can manually delete libcurl.dll and gup.exe from your notepad++ installation.

        1 Reply Last reply Reply Quote 0
        • mkupperM
          mkupper @Peter Fell
          last edited by

          @Peter-Fell said in libcurl.dll and CVE-2023-32001:

          libcurl.dll

          In looking at https://nvd.nist.gov/vuln/detail/CVE-2023-32001 the dll is getting flagged because someone feels that the libcurl developers used a common coding practice that could potentially be exploited.

          https://hackerone.com/reports/2039870 goes into much detail. It appears the libcurl developers are aware of the issue.

          If the potential vulnerability bothers you then disable Notpad++'s automatic check for updates and delete or rename libcurl.dll. It’s only used to check for and download updates to Notepad++. If you then do a “Check for updates” you will get a pop-up about

          GUP.exe - System Error
          The code execution cannot proceed because libcurl.dll was not found. Reinstalling the program may fix this problem. 
          

          I suspect the odds are low it could be exploited as the attacker would first need to find libcurl.dll and then to have an elevated process use it. Normally libcurl.dll is only used by GUP.exe which is itself is normally not elevated. I’d need to think about if and when GUP.exe gets elevated. Maybe it does so when it sees that it needs to update the Notepad++.exe files? I suspect though that GUP.exe first downloads the new installer using libcurl.dll as a non-elevated process and then elevates to perform the installation.

          1 Reply Last reply Reply Quote 1
          • Peter FellP
            Peter Fell
            last edited by

            Great, thanks both for your comments.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            The Community of users of the Notepad++ text editor.
            Powered by NodeBB | Contributors