curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-14618 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 7.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-curl) | RHSA-2018:3558 | 2018-11-13 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-curl) | RHSA-2018:3558 | 2018-11-13 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Web Server 3 | curl | Not affected |
Red Hat JBoss Core Services 1 | curl | Not affected |
Red Hat Enterprise Linux 7 | curl | Affected |
Red Hat Enterprise Linux 6 | curl | Will not fix |
Red Hat Enterprise Linux 5 | curl | Will not fix |
.NET Core 2.0 on Red Hat Enterprise Linux | rh-dotnet20-curl | Under investigation |
.NET Core 2.0 on Red Hat Enterprise Linux | rh-dotnet21-curl | Under investigation |
.NET Core 1.0 on Red Hat Enterprise Linux | rh-dotnetcore10-curl | Under investigation |
.NET Core 1.0 on Red Hat Enterprise Linux | rh-dotnetcore11-curl | Under investigation |