Out-of-bounds write in curl.haxx.se libcurl



Published: 2018-07-31 | Updated: 2020-08-03
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-8622
CWE-ID CWE-787
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
libcurl
Universal components / Libraries / Libraries used by multiple products

Vendor curl.haxx.se

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Out-of-bounds write

EUVDB-ID: #VU33021

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8622

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libcurl: 7.4 - 7.50.3

External links

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/94105
http://www.securitytracker.com/id/1037192
http://access.redhat.com/errata/RHSA-2018:2486
http://access.redhat.com/errata/RHSA-2018:3558
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622
http://curl.haxx.se/docs/adv_20161102H.html
http://security.gentoo.org/glsa/201701-47
http://www.tenable.com/security/tns-2016-21


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###