CVE-2018-14618

Impact:
Low
Public Date:
2018-09-05
CWE:
CWE-131->CWE-122
Bugzilla:
1622707: CVE-2018-14618 curl: NTLM password overflow via integer overflow

The MITRE CVE dictionary describes this issue as:

curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

Find out more about CVE-2018-14618 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-curl) RHSA-2018:3558 2018-11-13
Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-curl) RHSA-2018:3558 2018-11-13

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3 curl Not affected
Red Hat JBoss Core Services 1 curl Not affected
Red Hat Enterprise Linux 7 curl Affected
Red Hat Enterprise Linux 6 curl Will not fix
Red Hat Enterprise Linux 5 curl Will not fix
.NET Core 2.0 on Red Hat Enterprise Linux rh-dotnet20-curl Under investigation
.NET Core 2.0 on Red Hat Enterprise Linux rh-dotnet21-curl Under investigation
.NET Core 1.0 on Red Hat Enterprise Linux rh-dotnetcore10-curl Under investigation
.NET Core 1.0 on Red Hat Enterprise Linux rh-dotnetcore11-curl Under investigation

Acknowledgements

Red Hat would like to thank the Curl project for reporting this issue. Upstream acknowledges Zhaoyang Wu as the original reporter.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation