Question

cURL - Patching and Worklets

  • 6 October 2023
  • 6 replies
  • 193 views
T
Badge

Hey all, 

Brand new to the Automox Community here, really loving the software so far. However, I’m running into a weird issue. So, we’ve gotta update cURL, and I’m running into a pair of issues.

To start, within Automox, I cannot see it as a listed package. I know it’s installed, and can see it in my Tenable dashboard. This leaves the bulk actions/software patching option out. 

So, in lieu of this, I’ve tried to make a worklet to meet the requirements. I’ve found some powershell online that seems to fit what I’d need it to do, but when I run it on my test machine, I get the attached logs, and the issue persists. Could anyone offer some advice? 

param ( 
    [string]$SearchBase,
    [string]$updatedCurlPath = 'C:\temp\CurlUpdate\curl.exe',
    [string]$sourcePath = 'c$\Windows\System32\curl.exe'
    )
$computers = Get-AdComputer -filter * -SearchBase $SearchBase
# $computers = @()
# $AdGroup = Get-ADGroupMember -Identity "Group Name"
# Foreach ($one in $AdGroup) {
#     $computers += Get-AdComputer -Identity $one.name
# }
$rights = 'FullControl'
$type = 'Allow'
$adminGroup = 'BUILTIN\Administrators'
$adminAccount = [System.Security.Principal.NTAccount]::new($adminGroup)
$adminFullAccessRule = [System.Security.AccessControl.FileSystemAccessRule]::new($adminGroup, $rights, $type)
$success = @()
$failed = @()
$offline = @()

Foreach ($computer in $computers) {
    if (Test-connection -computername $computer.DNSHostName -count 1 -quiet){
        write-host "$($computer.name) is online!" -ForegroundColor Green
        $hostname = $computer.DNSHostName
        $curlPath = "\\$hostname\$sourcePath"
        Try {
            Write-Host "Checking ACL for $($computer.name)"
            $originalAcl = Get-Acl -Path "$curlPath" -ErrorAction stop
            $adminAcl = Get-Acl -Path "$curlPath" -ErrorAction stop
            $adminAcl.SetOwner($adminAccount)
            $adminAcl.AddAccessRule($adminFullAccessRule)
            Invoke-Command -ComputerName $hostname -ScriptBlock {takeown /f "c:\windows\system32\curl.exe"}
            (get-item $curlPath).SetAccessControl($adminAcl)
            $nextstep = $true
        }
        Catch {
            $failed += [pscustomobject]@{
                name = $computer.name
                message = $_
            }            
        }
        if ($nextstep){
            try {
                write-host "Copying $updatedCurlPath to $curlPath"
                Copy-Item -Path $updatedCurlPath -Destination $curlPath -Force
                (get-item $updatedCurlPath).SetAccessControl($originalAcl)
                $success += $computer
            }
            Catch {
                $failed += [pscustomobject]@{
                    name = $computer.name
                    message = $_
                }
            }
        }
    }
    Else {
        $offline += $computer
    }
}

Write-host "`nSuccessful:" -ForegroundColor Green
$success | ForEach-Object {Write-host "$($_.name)."}
write-host "`nFailed:" -ForegroundColor Yellow
$failed | ForEach-Object {Write-host "$($_.name) because: $($_.message)"}
write-host "`nOffline:" -ForegroundColor Red
$offline | ForEach-Object{Write-Host "$($_.name) is offline"}

 

Then Logs

Successful:

Failed:

Offline:

 

6 replies

MarkH-Automox
Userlevel 4
Badge

Hello,

The script you have found is designed to be run on an AD server. At the top of the script you can see its anticipating a list of endpoints being provided with this command:
$computers = Get-AdComputer -filter * -SearchBase $SearchBase

Dump all the computers from this location and then start to iterate through them to do something.

It also ends output each of the computers where it succeeded/failed of if the device was offline.

 

There is some good discussion here about a script to run on an individual computer: https://www.reddit.com/r/sysadmin/comments/11edgx8/comment/jd4ty5x/?utm_source=share&utm_medium=web2x&context=3

this may be where you got the script you posted as well, but as I mentioned as written would be run on an AD server to iterate through all the endpoints. Automox will just run on all endpoints without relying on cycling through the endpoints in AD.

 

There is mention that Microsoft should be including updates to something like this in their cumulatives. If you have a specific CVE identifier, we can take a look at whether or not manual intervention is needed.

Hope that helps

T
Badge

Hello,

The script you have found is designed to be run on an AD server. At the top of the script you can see its anticipating a list of endpoints being provided with this command:
$computers = Get-AdComputer -filter * -SearchBase $SearchBase

Dump all the computers from this location and then start to iterate through them to do something.

It also ends output each of the computers where it succeeded/failed of if the device was offline.

 

There is some good discussion here about a script to run on an individual computer: https://www.reddit.com/r/sysadmin/comments/11edgx8/comment/jd4ty5x/?utm_source=share&utm_medium=web2x&context=3

this may be where you got the script you posted as well, but as I mentioned as written would be run on an AD server to iterate through all the endpoints. Automox will just run on all endpoints without relying on cycling through the endpoints in AD.

 

There is mention that Microsoft should be including updates to something like this in their cumulatives. If you have a specific CVE identifier, we can take a look at whether or not manual intervention is needed.

Hope that helps

Mark,

I appreciate your post so much, thank you! I’ll give the single run a try, and return if it goes strangely. Thanks again for your help on this one. 

T
Badge

Just wanted to update, the above script worked! Thank you again for your help. 

jack.smith
Userlevel 5
Badge +1

Could be a gotcha doing it that way.

Reference this article https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/ as the author says when you manually update curl you will end up in tears 😢.

This is because when Microsoft does get around to patching it, the manual option will clearly change the file’s hash value and that is where you will run into CU update issues. 

 

 

Once the damage is done, this is one way to recover. I’d start with sfc /scannow or the same dism command below without a source. 

Dism /Online /Cleanup-Image /RestoreHealth /Source:WIM:G:\sources\Install.WIM:1 /limitaccess

 

Three curl vulnerabilities in Windows this year, all discovered with Tenable and I’m sure other vuln scanners. Only one has a patch. Even the latest CU, file list, still shows the 8.0.1 version of curl for Windows. 

  • CVE-2022-43552 (Published 02/09/2023) -- upgrade to Curl 7.87.0 or later -- patched April 2023 CU
  • CVE-2023-38039 (Published 09/15/2023) -- upgrade to Curl 8.3.0 or later -- no known patch from Microsoft
  • CVE-2023-38545 (NVD not published, MITR 07/20/2023 ) -- upgrade to Curl 8.4.0 or later -- no known patch from Microsoft
J

Microsoft now suggests a workaround until they release a fix.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38039

 

Look under: 7. Are there any workarounds that can be implemented?

 

T
Badge

Could be a gotcha doing it that way.

Reference this article https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/ as the author says when you manually update curl you will end up in tears 😢.

This is because when Microsoft does get around to patching it, the manual option will clearly change the file’s hash value and that is where you will run into CU update issues. 

 

 

Once the damage is done, this is one way to recover. I’d start with sfc /scannow or the same dism command below without a source. 

Dism /Online /Cleanup-Image /RestoreHealth /Source:WIM:G:\sources\Install.WIM:1 /limitaccess

 

Three curl vulnerabilities in Windows this year, all discovered with Tenable and I’m sure other vuln scanners. Only one has a patch. Even the latest CU, file list, still shows the 8.0.1 version of curl for Windows. 

  • CVE-2022-43552 (Published 02/09/2023) -- upgrade to Curl 7.87.0 or later -- patched April 2023 CU
  • CVE-2023-38039 (Published 09/15/2023) -- upgrade to Curl 8.3.0 or later -- no known patch from Microsoft
  • CVE-2023-38545 (NVD not published, MITR 07/20/2023 ) -- upgrade to Curl 8.4.0 or later -- no known patch from Microsoft

You look like you’re right. 

However, thankfully, my patch was faulty. It doesn’t look like it had actually updated anyone to the most current version of cURL. Thank goodness for that. 

Reply


Terms & ConditionsCookie settings