CVE-2018-16890
curl: NTLM type-2 heap out-of-bounds buffer read
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.
Libcurl, desde la versión 7.36.0 hasta antes de la 7.64.0, es vulnerable a una lectura de memoria dinámica (heap) fuera de límites. La función que gestiona los mensajes entrantes NTLM de tipo 2 ("lib/vauth/ntlm.c:ntlm_decode_type2_target") no valida los datos entrantes correctamente y está sujeta a una vulnerabilidad de desbordamiento de enteros. Mediante ese desbordamiento, un servidor NTLM malicioso o roto podría engañar a libcurl para que acepte una mala combinación de longitud + desplazamiento que conduciría a una lectura del búfer fuera de límites.
An out-of-bounds read flaw was found in the way curl handled NTLMv2 type-2 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-09-11 CVE Reserved
- 2019-02-06 CVE Published
- 2019-03-19 First Exploit
- 2024-08-05 CVE Updated
- 2024-09-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
- CWE-190: Integer Overflow or Wraparound
CAPEC
References (15)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/106947 | Third Party Advisory | |
https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf | Third Party Advisory | |
https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E | Mailing List | |
https://support.f5.com/csp/article/K03314397?utm_source=f5support&%3Butm_medium=RSS | X_refsource_confirm |
URL | Date | SRC |
---|---|---|
https://github.com/michelleamesquita/CVE-2018-16890 | 2019-03-19 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:3701 | 2023-11-07 | |
https://usn.ubuntu.com/3882-1 | 2023-11-07 | |
https://www.debian.org/security/2019/dsa-4386 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2018-16890 | 2019-11-05 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1670252 | 2019-11-05 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | >= 7.36.0 < 7.64.0 Search vendor "Haxx" for product "Libcurl" and version " >= 7.36.0 < 7.64.0" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap" | * | - |
Affected
| ||||||
Siemens Search vendor "Siemens" | Sinema Remote Connect Client Search vendor "Siemens" for product "Sinema Remote Connect Client" | <= 2.0 Search vendor "Siemens" for product "Sinema Remote Connect Client" and version " <= 2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor" | 3.4 Search vendor "Oracle" for product "Communications Operations Monitor" and version "3.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor" | 4.0 Search vendor "Oracle" for product "Communications Operations Monitor" and version "4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Http Server Search vendor "Oracle" for product "Http Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Http Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop" | 5.4 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.4" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | >= 13.1.0 <= 13.1.3 Search vendor "F5" for product "Big-ip Access Policy Manager" and version " >= 13.1.0 <= 13.1.3" | - |
Affected
| ||||||
F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | >= 14.0.0 <= 14.1.2 Search vendor "F5" for product "Big-ip Access Policy Manager" and version " >= 14.0.0 <= 14.1.2" | - |
Affected
| ||||||
F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | >= 15.0.0 <= 15.0.1 Search vendor "F5" for product "Big-ip Access Policy Manager" and version " >= 15.0.0 <= 15.0.1" | - |
Affected
|