CVE-2018-14618
published 2018-09-05CVE-2018-14618: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the…
PriorityP357critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.82%
95.3th percentile
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | curl | < curl 7.62.0-1 (bookworm) | curl 7.62.0-1 (bookworm) |
| debian | debian_linux | — | — |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | libcurl | < 7.61.1 | 7.61.1 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SINEMA Remote Connect (Update A)
cisa_ics·2019-04-09·CVSS 7.5
[HIGH] Siemens SINEMA Remote Connect (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SINEMA Remote Connect (Update A)
Last RevisedMarch 09, 2021
Alert CodeICSA-19-099-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.3
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Siemens
- Equipment: SINEMA Remote Connect (Client and Server)
- Vulnerabilities: Incorrect Calculation of Buffer Size, Out-of-bounds Read, Stack-based Buffer Overflow, Improper Handling of Insufficient Permissions
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-19-099-04 Siemens SINEMA Remote Connect that was published Apri
Ubuntu
curl vulnerability
vendor_ubuntu·2018-09-17
CVE-2018-14618 curl vulnerability
Title: curl vulnerability
Summary: curl could be made to run arbitrary code if it received a specially
crafted input.
USN-3765-1 fixed a vulnerability in curl. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that curl incorrectly handled certain inputs.
An attacker could possibly use this to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
curl vulnerability
vendor_ubuntu·2018-09-17
CVE-2018-14618 curl vulnerability
Title: curl vulnerability
Summary: curl could be made to run arbitrary code if it received a specially
crafted input.
It was discovered that curl incorrectly handled certain inputs.
An attacker could possibly use this to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: NTLM password overflow via integer overflow
vendor_redhat·2018-09-05·CVSS 9.8
CVE-2018-14618 [CRITICAL] CWE-131 curl: NTLM password overflow via integer overflow
curl: NTLM password overflow via integer overflow
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical
Debian
CVE-2018-14618: curl - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authent...
vendor_debian·2018·CVSS 9.8
CVE-2018-14618 [CRITICAL] CVE-2018-14618: curl - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authent...
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
Scope: local
bookworm: resolved
GHSA
GHSA-4mp9-8964-jxmg: curl before version 7
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2018-14618 [CRITICAL] CWE-190 GHSA-4mp9-8964-jxmg: curl before version 7
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
OSV
CVE-2018-14618: curl before version 7
osv·2018-09-05·CVSS 9.8
CVE-2018-14618 [CRITICAL] CVE-2018-14618: curl before version 7
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2019-5435: An integer overflow found in /lib/urlapi.c
hackerone·2020-12-05·CVSS 7.5
CVE-2019-5435 [HIGH] CVE-2019-5435: An integer overflow found in /lib/urlapi.c
CVE-2019-5435: An integer overflow found in /lib/urlapi.c
## Summary:
libcurl contains a heap-based buffer overrun in /lib/urlapi.c. A similiar issue to CVE-2018-14618.
## Steps To Reproduce:
### analysis
I found a potential integer overflow which may lead to a buffer overrun in /curl/lib/urlapi.c. In function `seturl`, urllen was multiplied by 2 and then passed to malloc. So an integer overflow will happen when the url is as long as 2GB in a 32 bit OS.
```c
static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
{
char *path;
bool path_alloced = FALSE;
char *hostname;
char *query = NULL;
char *fragment = NULL;
CURLUcode result;
bool url_has_scheme = FALSE;
char schemebuf[MAX_SCHEME_LEN];
char *schemep = NULL;
size_t schemelen = 0;
size_t urllen;
const struct Curl_hand
Bugzilla
CVE-2018-14618 curl: NTLM password overflow via integer overflow [fedora-all]
bugzilla·2018-09-05·CVSS 7.5
CVE-2018-14618 [HIGH] CVE-2018-14618 curl: NTLM password overflow via integer overflow [fedora-all]
CVE-2018-14618 curl: NTLM password overflow via integer overflow [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2018-14618 curl: NTLM password overflow via integer overflow
bugzilla·2018-08-27·CVSS 9.8
CVE-2018-14618 [CRITICAL] CVE-2018-14618 curl: NTLM password overflow via integer overflow
CVE-2018-14618 curl: NTLM password overflow via integer overflow
NTLM password overflow via integer overflow
Project curl Security Advisory, September 5th 2018 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-XXXX.html)
VULNERABILITY
libcurl contains a buffer overflow in the NTLM authentication code.
The internal function `Curl_ntlm_core_mk_nt_hash` multiplies the `length` of
the password by two (SUM) to figure out how large temporary storage area to
allocate from the heap.
The `length` value is then subsequently used to iterate over the password and
generate output into the allocated storage buffer. On systems with a 32 bit
`size_t`, the math to calculate SUM triggers an integer overflow when the
password length exceeds 2GB (2^31 bytes). This integer overflow usually causes
a very s
http://www.securitytracker.com/id/1041605https://access.redhat.com/errata/RHSA-2018:3558https://access.redhat.com/errata/RHSA-2019:1880https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdfhttps://curl.haxx.se/docs/CVE-2018-14618.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014https://security.gentoo.org/glsa/201903-03https://usn.ubuntu.com/3765-1/https://usn.ubuntu.com/3765-2/https://www.debian.org/security/2018/dsa-4286http://www.securitytracker.com/id/1041605https://access.redhat.com/errata/RHSA-2018:3558https://access.redhat.com/errata/RHSA-2019:1880https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdfhttps://curl.haxx.se/docs/CVE-2018-14618.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014https://security.gentoo.org/glsa/201903-03https://usn.ubuntu.com/3765-1/https://usn.ubuntu.com/3765-2/https://www.debian.org/security/2018/dsa-4286
2018-09-05
Published