CLD-546 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-14618 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) curl
Deficiency Type SECURITY
Date Created 2018-09-05 16:30:49
Date Last Modified 2018-09-05 20:04:22

Version Specific Information:

Cucumber 1.0 i686 fixed in curl-7.61.1-i686-1
Cucumber 1.0 x86_64 not affected

Cucumber 1.1 i686 fixed in curl-7.61.1-i686-1
Cucumber 1.1 x86_64 not affected

Details:

=================================== Overview ===================================

curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM
authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies
the length of the password by two (SUM) to figure out how large temporary
storage area to allocate from the heap. The length value is then subsequently
used to iterate over the password and generate output into the allocated
storage buffer. On systems with a 32 bit size_t, the math to calculate SUM
triggers an integer overflow when the password length exceeds 2GB (2^31 bytes).
This integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that buffer
end up in a heap buffer overflow. (This bug is almost identical to
CVE-2017-8816.) 

================================ Initial Report ================================

From https://curl.haxx.se/docs/CVE-2018-14618.html:VULNERABILITY

libcurl contains a buffer overrun in the NTLM authentication code.

The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the
password by two (SUM) to figure out how large temporary storage area to
allocate from the heap.

The length value is then subsequently used to iterate over the password and
generate output into the allocated storage buffer. On systems with a 32 bit
size_t, the math to calculate SUM triggers an integer overflow when the
password length exceeds 2GB (2^31 bytes). This integer overflow usually causes
a very small buffer to actually get allocated instead of the intended very huge
one, making the use of that buffer end up in a heap buffer overflow.

(This bug is almost identical to CVE-2017-8816.)

We are not aware of any exploit of this flaw.
INFO

This bug was introduced in commit be285cde3f, April 2006.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-14618 to this issue.

CWE-131: Incorrect Calculation of Buffer Size

AFFECTED VERSIONS

This issue is only present on 32 bit systems. It also requires the password
field to use more than 2GB of memory, which should be rare.

    Affected versions: libcurl 7.15.4 to and including 7.61.0
    Not affected versions: libcurl < 7.15.4 and >= 7.61.1

curl is used by many applications, but not always advertised as such.

THE SOLUTION

In libcurl version 7.61.1, the integer overflow is avoided.

A patch for CVE-2018-14618 is available.

================================= Our Analysis =================================

----- Affected Products -----
Curl versions prior to 7.61.1 that have not had the patch from
https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch
applied are vulnerable. This includes curl as originally packaged in Cucumber
Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for a heap based buffer flow. Although no impact has been officially
disclosed, given the nature of this vulnerability it has the potential to
result in a denial of service or possibly code execution.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to curl 7.61.1 or newer, or by
applying the patch from
https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch.

================================= Our Solution =================================

We have upgraded to curl 7.61.1