Bug 1670252 (CVE-2018-16890) - CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read
Summary: CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read
Status: NEW
Alias: CVE-2018-16890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190206,repor...
Keywords: Security
Depends On: 1674357 1674358 1672902
Blocks: 1670258
TreeView+ depends on / blocked
 
Reported: 2019-01-29 04:10 UTC by Sam Fowler
Modified: 2019-04-30 02:50 UTC (History)
29 users (show)

(edit)
An out-of-bounds read flaw was found in the way curl handled NTLMv2 type-2 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2019-01-29 04:10:28 UTC
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read.

The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.


Bug introduced by:

https://github.com/curl/curl/commit/86724581b6c

Comment 1 Sam Fowler 2019-01-29 04:10:30 UTC
Acknowledgments:

Name: Daniel Stenberg (the Curl project)
Upstream: Wenxiang Qian (Tencent Blade Team)

Comment 2 Sam Fowler 2019-02-06 07:45:58 UTC
External Reference:

https://curl.haxx.se/docs/CVE-2018-16890.html


Upstream Patch:

https://github.com/curl/curl/commit/b780b30d

Comment 3 Sam Fowler 2019-02-06 07:46:07 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1672902]

Comment 6 Huzaifa S. Sidhpurwala 2019-02-11 06:42:40 UTC
Mitigation:

Turn off NTLM authentication.

Comment 7 Eric Christensen 2019-02-18 14:19:21 UTC
Statement:

The versions of curl package shipped with Red Hat Enterprise Linux 5, 6, and 7 do not support NTLMv2 type-2 headers, hence they are not affected by this flaw.


Note You need to log in before you can comment on or make changes to this bug.