CVE-2018-16890

NTLM type-2 out-of-boundsbuffer read

Project curl Security Advisory, February 6th 2019 -Permalink

VULNERABILITY

libcurl contains a heap buffer out-of-bounds read flaw.

The function handling incoming NTLM type-2 messages(lib/vauth/ntlm.c:ntlm_decode_type2_target) does notvalidate incoming data correctly and is subject to an integer overflowvulnerability.

Using that overflow, a malicious or broken NTLM server could tricklibcurl to accept a bad length + offset combination that would lead to abuffer read out-of-bounds.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assignedthe name CVE-2018-16890 to this issue.

CWE-125: Out-of-bounds Read

Severity: Medium

AFFECTED VERSIONS

• Affected versions: libcurl7.36.0 to and including7.63.0
• Not affected versions: libcurl <7.36.0 and >=7.64.0
• Introduced-in:https://github.com/curl/curl/commit/86724581b6c

libcurl is used by many applications, but not always advertised assuch.

SOLUTION

• Fixed-in:https://github.com/curl/curl/commit/b780b30d1377adb10bbe77

RECOMMENDATIONS

We suggest you take one of the following actions immediately, inorder of preference:

A - Upgrade curl to version7.64.0

B - Apply the patch to your version and rebuild

C - Turn off NTLM authentication

TIMELINE

It was reported to the curl project on December 30, 2018. Wecontacted distros@openwall on January 28.

curl7.64.0 was released on February 6 2019, coordinated with thepublication of this advisory.

CREDITS

• Reported-by: Wenxiang Qian of Tencent Blade Team
• Patched-by: Daniel Stenberg

Thanks a lot!