libcurl.dll and CVE-2023-32001
One of our Windows 2019 servers has Notepad++ installed and has been flagged as having a vulnerability, namely CVE-2023-32001 relating to libcurl.dll. I checked the server and the only instance of that file I could find was in “C:\Program Files\Notepad++\updater” and the file version is 220.127.116.11. I just updated Notepad+ to the latest release 8.5.4 to see if the file would be updated but it didn’t. Will that file eventually get updated at some point or is there any issues if I remove it or remove the automatic updater service assuming that is possible?
Will that file eventually get updated at some point or is there any issues if I remove it or remove the automatic updater service assuming that is possible?
The developer self-assigned the issue, but may have forgotten about it. I will ping that issue.
or is there any issues if I remove it or remove the automatic updater service assuming that is possible?
Notepad++ won’t be able to auto-update. Other than that, no issues that I’m aware of. So if you’re worried until libcurl gets updated, you can manually delete libcurl.dll and gup.exe from your notepad++ installation.
In looking at https://nvd.nist.gov/vuln/detail/CVE-2023-32001 the dll is getting flagged because someone feels that the libcurl developers used a common coding practice that could potentially be exploited.
https://hackerone.com/reports/2039870 goes into much detail. It appears the libcurl developers are aware of the issue.
If the potential vulnerability bothers you then disable Notpad++'s automatic check for updates and delete or rename libcurl.dll. It’s only used to check for and download updates to Notepad++. If you then do a “Check for updates” you will get a pop-up about
GUP.exe - System Error The code execution cannot proceed because libcurl.dll was not found. Reinstalling the program may fix this problem.
I suspect the odds are low it could be exploited as the attacker would first need to find libcurl.dll and then to have an elevated process use it. Normally libcurl.dll is only used by GUP.exe which is itself is normally not elevated. I’d need to think about if and when GUP.exe gets elevated. Maybe it does so when it sees that it needs to update the Notepad++.exe files? I suspect though that GUP.exe first downloads the new installer using libcurl.dll as a non-elevated process and then elevates to perform the installation.
Great, thanks both for your comments.