Multiple vulnerabilities in libcurl

Published: 2019-02-11 10:39:51 | Updated: 2019-02-11
Severity High
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2019-3822
CVE-2019-3823
CVE-2018-16890
CVSSv3 9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
5.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]
4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]
CWE ID CWE-121
CWE-125
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Vulnerable software libcurl
Vulnerable software versions libcurl 7.39.0
libcurl 7.38.0
libcurl 7.37.1

Show more

Vendor URL curl.haxx.se

Security Advisory

1) Stack-based buffer overflow

Description

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The vulnerability exists due to the NT LAN Manager (NTLM) Curl_auth_create_ntlm_type3_message function creates an outgoing NTLM type-3 header and generates the request HTTP header contents based on previously received data. A remote unauthenticated attacker can send very large ‘nt response’ output data, that has been extracted from a previous NTLMv2 header that was provided by a malicious or broken HTTP server, trigger stack-based buffer overflow and cause the service to crash or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update to version 7.64.0.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822
https://curl.haxx.se/docs/CVE-2019-3822.html

2) Heap out-of-bounds read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information or cause the service to crash.

The vulnerability exists due to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. A remote attacker can trigger heap out-of-bounds read error and read contents of memory on the system or cause the service to crash..

Remediation

Update to version 7.64.0.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823
https://curl.haxx.se/docs/CVE-2019-3823.html

3) Heap out-of-bounds read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information or cause the service to crash.

The vulnerability exists due to a integer overflow in the function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly. A remote attacker on malicious or broken NTLM server can trick the victim into accepting a bad length + offset combination, trigger heap out-of-bounds read error and read contents of memory on the system or cause the service to crash..

Remediation

Update to version 7.64.0.

External links

http://www.securityfocus.com/bid/106947
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890
https://curl.haxx.se/docs/CVE-2018-16890.html
https://usn.ubuntu.com/3882-1/
https://www.debian.org/security/2019/dsa-4386

Back to List