Bug 1670252 (CVE-2018-16890)

Summary: CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, andrew.slice, bodavis, csutherl, dbaker, dbhole, gzaronik, hhorak, jclere, john.j5live, jokerman, jorton, kanderso, kdudka, lgao, luhliari, mbabacek, msekleta, mturk, myarboro, omajid, paul, psampaio, rwagner, security-response-team, sthangav, trankin, twalsh, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.64.0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in the way curl handled NTLMv2 type-2 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:51:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1672902, 1674357, 1674358    
Bug Blocks: 1670258    

Description Sam Fowler 2019-01-29 04:10:28 UTC 
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read.

The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.


Bug introduced by:

https://github.com/curl/curl/commit/86724581b6c
Comment 1 Sam Fowler 2019-01-29 04:10:30 UTC 
Acknowledgments:

Name: Daniel Stenberg (the Curl project)
Upstream: Wenxiang Qian (Tencent Blade Team)
Comment 2 Sam Fowler 2019-02-06 07:45:58 UTC 
External Reference:

https://curl.haxx.se/docs/CVE-2018-16890.html


Upstream Patch:

https://github.com/curl/curl/commit/b780b30d
Comment 3 Sam Fowler 2019-02-06 07:46:07 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1672902]
Comment 6 Huzaifa S. Sidhpurwala 2019-02-11 06:42:40 UTC 
Mitigation:

Turn off NTLM authentication.
Comment 7 Eric Christensen 2019-02-18 14:19:21 UTC 
Statement:

The versions of curl package shipped with Red Hat Enterprise Linux 5, 6, and 7 do not support NTLMv2 type-2 headers, hence they are not affected by this flaw.
Comment 10 errata-xmlrpc 2019-11-05 22:06:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3701 https://access.redhat.com/errata/RHSA-2019:3701
Comment 11 Product Security DevOps Team 2019-11-06 00:51:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16890