Out-of-bounds write in curl.haxx.se libcurl

1) Out-of-bounds write

EUVDB-ID: #VU33021

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-8622

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libcurl: 7.4 - 7.50.3

CPE2.3

• cpe:2.3:a:curl_haxx_se:libcurl:7.4:*:*:*:*:*:*:*
• cpe:2.3:a:curl_haxx_se:libcurl:7.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:curl_haxx_se:libcurl:7.4.2:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.securityfocus.com/bid/94105
https://www.securitytracker.com/id/1037192
https://access.redhat.com/errata/RHSA-2018:2486
https://access.redhat.com/errata/RHSA-2018:3558
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622
https://curl.haxx.se/docs/adv_20161102H.html
https://security.gentoo.org/glsa/201701-47
https://www.tenable.com/security/tns-2016-21

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.