Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-3822

Impact: Moderate Public Date: 2019-02-06 CWE: CWE-121 Bugzilla: 1670254: CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Source

The MITRE CVE dictionary describes this issue as:

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Find out more about CVE-2019-3822 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

The versions of curl package shipped with Red Hat Enterprise Linux 5, 6 and 7 do not support NTLMv2 type-3 headers, hence they are not affected by this flaw.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score	5.3
CVSS3 Base Metrics	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity Impact	None
Availability Impact	High

Affected Packages State

Platform	Package	State
Red Hat Virtualization 4	curl	Under investigation
Red Hat Software Collections for Red Hat Enterprise Linux	httpd24-curl	Affected
Red Hat JBoss Web Server 5	curl	Under investigation
Red Hat JBoss Core Services 1	curl	Under investigation
Red Hat Enterprise Linux 7	curl	Not affected
Red Hat Enterprise Linux 6	curl	Not affected
Red Hat Enterprise Linux 5	curl	Not affected
.NET Core 2.0 on Red Hat Enterprise Linux	rh-dotnet22-curl	Under investigation
.NET Core 2.0 on Red Hat Enterprise Linux	rh-dotnet21-curl	Under investigation
.NET Core 1.0 on Red Hat Enterprise Linux	rh-dotnetcore10-curl	Under investigation
.NET Core 1.0 on Red Hat Enterprise Linux	rh-dotnetcore11-curl	Under investigation

Acknowledgements

Red Hat would like to thank Daniel Stenberg (the Curl project) for reporting this issue. Upstream acknowledges Wenxiang Qian (Tencent Blade Team) as the original reporter.

Mitigation

Turn off NTLM authentication.

External References

https://curl.haxx.se/docs/CVE-2019-3822.html

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-3822

Statement

CVSS v3 metrics

Affected Packages State

Acknowledgements

Mitigation

External References

Vulmon Search

About

Products

Connect