Bug 1670252 (CVE-2018-16890) - CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read
Summary: CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read
Alias: CVE-2018-16890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1672902 1674357 1674358
Blocks: 1670258
TreeView+ depends on / blocked
Reported: 2019-01-29 04:10 UTC by Sam Fowler
Modified: 2020-04-02 15:51 UTC (History)
29 users (show)

Fixed In Version: curl 7.64.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in the way curl handled NTLMv2 type-2 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
Clone Of:
Last Closed: 2019-11-06 00:51:57 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3701 None None None 2019-11-05 22:06:06 UTC

Description Sam Fowler 2019-01-29 04:10:28 UTC
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read.

The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

Bug introduced by:


Comment 1 Sam Fowler 2019-01-29 04:10:30 UTC

Name: Daniel Stenberg (the Curl project)
Upstream: Wenxiang Qian (Tencent Blade Team)

Comment 2 Sam Fowler 2019-02-06 07:45:58 UTC
External Reference:


Upstream Patch:


Comment 3 Sam Fowler 2019-02-06 07:46:07 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1672902]

Comment 6 Huzaifa S. Sidhpurwala 2019-02-11 06:42:40 UTC

Turn off NTLM authentication.

Comment 7 Eric Christensen 2019-02-18 14:19:21 UTC

The versions of curl package shipped with Red Hat Enterprise Linux 5, 6, and 7 do not support NTLMv2 type-2 headers, hence they are not affected by this flaw.

Comment 10 errata-xmlrpc 2019-11-05 22:06:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3701 https://access.redhat.com/errata/RHSA-2019:3701

Comment 11 Product Security DevOps Team 2019-11-06 00:51:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.