ID CVE-2018-1000005
Summary libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
References
Vulnerable Configurations
  • Haxx libcurl 7.49.0
    cpe:2.3:a:haxx:libcurl:7.49.0
  • Haxx libcurl 7.49.1
    cpe:2.3:a:haxx:libcurl:7.49.1
  • Haxx libcurl 7.50.0
    cpe:2.3:a:haxx:libcurl:7.50.0
  • Haxx libcurl 7.50.1
    cpe:2.3:a:haxx:libcurl:7.50.1
  • Haxx libcurl 7.50.2
    cpe:2.3:a:haxx:libcurl:7.50.2
  • Haxx libcurl 7.50.3
    cpe:2.3:a:haxx:libcurl:7.50.3
  • Haxx libcurl 7.51.0
    cpe:2.3:a:haxx:libcurl:7.51.0
  • Haxx libcurl 7.52.0
    cpe:2.3:a:haxx:libcurl:7.52.0
  • Haxx libcurl 7.52.1
    cpe:2.3:a:haxx:libcurl:7.52.1
  • Haxx libcurl 7.53.0
    cpe:2.3:a:haxx:libcurl:7.53.0
  • Haxx libcurl 7.53.1
    cpe:2.3:a:haxx:libcurl:7.53.1
  • Haxx libcurl 7.54.0
    cpe:2.3:a:haxx:libcurl:7.54.0
  • Haxx libcurl 7.54.1
    cpe:2.3:a:haxx:libcurl:7.54.1
  • Haxx libcurl 7.55.0
    cpe:2.3:a:haxx:libcurl:7.55.0
  • Haxx libcurl 7.55.1
    cpe:2.3:a:haxx:libcurl:7.55.1
  • Haxx libcurl 7.56.0
    cpe:2.3:a:haxx:libcurl:7.56.0
  • Haxx libcurl 7.56.1
    cpe:2.3:a:haxx:libcurl:7.56.1
  • Haxx libcurl 7.57.0
    cpe:2.3:a:haxx:libcurl:7.57.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 17.10
    cpe:2.3:o:canonical:ubuntu_linux:17.10
CVSS
Base: 6.4
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201804-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-201804-04 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 108925
    published 2018-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108925
    title GLSA-201804-04 : cURL: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-024-01.NASL
    description New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-01
    modified 2018-02-20
    plugin id 106309
    published 2018-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106309
    title Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2018-024-01)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-85655B12B6.NASL
    description - http2: fix incorrect trailer buffer size (CVE-2018-1000005) - http: prevent custom Authorization headers in redirects (CVE-2018-1000007) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-20
    plugin id 106517
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106517
    title Fedora 26 : curl (2018-85655b12b6)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3554-1.NASL
    description It was discovered that curl incorrectly handled certain data. An attacker could possibly use this to cause a denial of service or even to get access to sensitive data. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. It was discovered that curl could accidentally leak authentication data. An attacker could possibly use this to get access to sensitive information. (CVE-2018-1000007). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106558
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106558
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : curl vulnerabilities (USN-3554-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4098.NASL
    description Two vulnerabilities were discovered in cURL, an URL transfer library. - CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie). - CVE-2018-1000007 Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 106412
    published 2018-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106412
    title Debian DSA-4098-1 : curl - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-951.NASL
    description HTTP authentication leak in redirects libcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. (CVE-2018-1000007) Out-of-bounds read in code handling HTTP/2 trailers libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. (CVE-2018-1000005)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 109122
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109122
    title Amazon Linux 2 : curl (ALAS-2018-951)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-241A5A2409.NASL
    description - http2: fix incorrect trailer buffer size (CVE-2018-1000005) - http: prevent custom Authorization headers in redirects (CVE-2018-1000007) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-20
    plugin id 106510
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106510
    title Fedora 27 : curl (2018-241a5a2409)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-951.NASL
    description Out-of-bounds read in code handling HTTP/2 trailers : libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. (CVE-2018-1000005) HTTP authentication leak in redirects : libcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. (CVE-2018-1000007)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 106930
    published 2018-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106930
    title Amazon Linux AMI : curl (ALAS-2018-951)
refmap via4
confirm
debian DSA-4098
sectrack 1040273
ubuntu USN-3554-1
Last major update 24-01-2018 - 17:29
Published 24-01-2018 - 17:29
Last modified 25-03-2019 - 15:18
Back to Top