#VU33021 Out-of-bounds write in libcurl


Published: 2018-07-31 | Updated: 2020-08-03

Vulnerability identifier: #VU33021

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8622

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libcurl
Universal components / Libraries / Libraries used by multiple products

Vendor: curl.haxx.se

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libcurl: 7.4 - 7.50.3


External links
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/94105
http://www.securitytracker.com/id/1037192
http://access.redhat.com/errata/RHSA-2018:2486
http://access.redhat.com/errata/RHSA-2018:3558
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622
http://curl.haxx.se/docs/adv_20161102H.html
http://security.gentoo.org/glsa/201701-47
http://www.tenable.com/security/tns-2016-21


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability