cnvd - cnvd-2019-10132

cnvd-2019-10132

Vulnerability from cnvd

Title: libcurl缓冲区溢出漏洞

Description:

libcurl是一个免费且易于使用的客户端URL传输库。

Libcurl 7.15.4 - 7.61.0中的lib/curl_ntlm_core.c中的Curl_ntlm_core_mk_nt_hash()存在缓冲区溢出漏洞。远程用户可通过发送特制NTLM认证密码利用该漏洞在目标系统上执行任意代码。

Severity: 高

Patch Name: libcurl缓冲区溢出漏洞的补丁

Patch Description:

libcurl是一个免费且易于使用的客户端URL传输库。

Libcurl 7.15.4 - 7.61.0中的lib/curl_ntlm_core.c中的Curl_ntlm_core_mk_nt_hash()存在缓冲区溢出漏洞。远程用户可通过发送特制NTLM认证密码利用该漏洞在目标系统上执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布漏洞修复程序，请及时关注更新： https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch

Reference: https://curl.haxx.se/docs/CVE-2018-14618.html

Impacted products

Name
['PHP libcURL 7.15.4 - 7.61.0', 'Haxx Libcurl >=7.15.4，<=7.61.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-14618"
    }
  },
  "description": "libcurl\u662f\u4e00\u4e2a\u514d\u8d39\u4e14\u6613\u4e8e\u4f7f\u7528\u7684\u5ba2\u6237\u7aefURL\u4f20\u8f93\u5e93\u3002\n\nLibcurl 7.15.4 - 7.61.0\u4e2d\u7684lib/curl_ntlm_core.c\u4e2d\u7684Curl_ntlm_core_mk_nt_hash()\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u7528\u6237\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236NTLM\u8ba4\u8bc1\u5bc6\u7801\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-10132",
  "openTime": "2019-04-17",
  "patchDescription": "libcurl\u662f\u4e00\u4e2a\u514d\u8d39\u4e14\u6613\u4e8e\u4f7f\u7528\u7684\u5ba2\u6237\u7aefURL\u4f20\u8f93\u5e93\u3002\r\n\r\nLibcurl 7.15.4 - 7.61.0\u4e2d\u7684lib/curl_ntlm_core.c\u4e2d\u7684Curl_ntlm_core_mk_nt_hash()\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u7528\u6237\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236NTLM\u8ba4\u8bc1\u5bc6\u7801\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "libcurl\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "PHP libcURL 7.15.4 - 7.61.0",
      "Haxx Libcurl \u003e=7.15.4\uff0c\u003c=7.61.0"
    ]
  },
  "referenceLink": "https://curl.haxx.se/docs/CVE-2018-14618.html",
  "serverity": "\u9ad8",
  "submitTime": "2018-09-06",
  "title": "libcurl\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2018-14618 (GCVE-0-2018-14618)

Vulnerability from cvelistv5

Published

2018-09-05 19:00

Modified

2024-08-05 09:29

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Summary

curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

References

▼	URL	Tags
	https://curl.haxx.se/docs/CVE-2018-14618.html	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/201903-03	vendor-advisory, x_refsource_GENTOO
	https://usn.ubuntu.com/3765-1/	vendor-advisory, x_refsource_UBUNTU
	https://access.redhat.com/errata/RHSA-2018:3558	vendor-advisory, x_refsource_REDHAT
	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014	x_refsource_CONFIRM
	https://www.debian.org/security/2018/dsa-4286	vendor-advisory, x_refsource_DEBIAN
	http://www.securitytracker.com/id/1041605	vdb-entry, x_refsource_SECTRACK
	https://usn.ubuntu.com/3765-2/	vendor-advisory, x_refsource_UBUNTU
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618	x_refsource_CONFIRM
	https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2019:1880	vendor-advisory, x_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	[UNKNOWN]	curl	Version: 7.61.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:29:51.906Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://curl.haxx.se/docs/CVE-2018-14618.html"
          },
          {
            "name": "GLSA-201903-03",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201903-03"
          },
          {
            "name": "USN-3765-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3765-1/"
          },
          {
            "name": "RHSA-2018:3558",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3558"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014"
          },
          {
            "name": "DSA-4286",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4286"
          },
          {
            "name": "1041605",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041605"
          },
          {
            "name": "USN-3765-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3765-2/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf"
          },
          {
            "name": "RHSA-2019:1880",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1880"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "curl",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "7.61.1"
            }
          ]
        }
      ],
      "datePublic": "2018-09-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-29T18:06:14",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://curl.haxx.se/docs/CVE-2018-14618.html"
        },
        {
          "name": "GLSA-201903-03",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201903-03"
        },
        {
          "name": "USN-3765-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3765-1/"
        },
        {
          "name": "RHSA-2018:3558",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3558"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014"
        },
        {
          "name": "DSA-4286",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4286"
        },
        {
          "name": "1041605",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041605"
        },
        {
          "name": "USN-3765-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3765-2/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf"
        },
        {
          "name": "RHSA-2019:1880",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1880"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2018-14618",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "curl",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "7.61.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "[UNKNOWN]"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-122"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://curl.haxx.se/docs/CVE-2018-14618.html",
              "refsource": "CONFIRM",
              "url": "https://curl.haxx.se/docs/CVE-2018-14618.html"
            },
            {
              "name": "GLSA-201903-03",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201903-03"
            },
            {
              "name": "USN-3765-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3765-1/"
            },
            {
              "name": "RHSA-2018:3558",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3558"
            },
            {
              "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014",
              "refsource": "CONFIRM",
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014"
            },
            {
              "name": "DSA-4286",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4286"
            },
            {
              "name": "1041605",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041605"
            },
            {
              "name": "USN-3765-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3765-2/"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf"
            },
            {
              "name": "RHSA-2019:1880",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1880"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-14618",
    "datePublished": "2018-09-05T19:00:00",
    "dateReserved": "2018-07-27T00:00:00",
    "dateUpdated": "2024-08-05T09:29:51.906Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted