curl / Mailing Lists / curl-library / Single Mail

curl-library

[SECURITY ADVISORY] curl: NTLM type-2 out-of-bounds buffer read

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 6 Feb 2019 08:12:29 +0100 (CET)

NTLM type-2 out-of-bounds buffer read
=====================================

Project curl Security Advisory, February 6th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-16890.html)

VULNERABILITY
-------------

libcurl contains a heap buffer out-of-bounds read flaw.

The function handling incoming NTLM type-2 messages
(`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data
correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to
accept a bad length + offset combination that would lead to a buffer read
out-of-bounds.

We are not aware of any exploit of this flaw.

INFO

----
This bug was introduced in [commit
86724581b6c](https://github.com/curl/curl/commit/86724581b6c), January 2014.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-16890 to this issue.
CWE-125: Out-of-bounds Read
Severity: 5.3 (Medium)
AFFECTED VERSIONS
-----------------
- Affected versions: libcurl 7.36.0 to and including 7.63.0
- Not affected versions: libcurl < 7.36.0 and >= 7.64.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
A [patch for CVE-2018-16890](https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb)
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl to version 7.64.0
  B - Apply the patch to your version and rebuild
  C - Turn off NTLM authentication
TIME LINE
---------
It was reported to the curl project on December 30, 2018. We contacted
distros_at_openwall on January 28.
curl 7.64.0 was released on February 6 2019, coordinated with the publication
of this advisory.
CREDITS
-------
Reported by Wenxiang Qian of Tencent Blade Team. Patch by Daniel Stenberg.
Thanks a lot!
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-02-06