CVE-2018-16839
published 2018-10-31CVE-2018-16839: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
PriorityP352critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
5.83%
92.2th percentile
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | curl | < curl 7.62.0-1 (bookworm) | curl 7.62.0-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.62.0-1 | 7.62.0-1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.19 | 7.35.0-1ubuntu2.19 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.11 | 7.47.0-1ubuntu2.11 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.5 | 7.58.0-2ubuntu3.5 |
| haxx | curl | 7.33.0 – 7.61.1 | — |
| the_curl_project | curl | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g54v-fj63-pm34: Curl versions 7
ghsa_unreviewed·2022-05-13
CVE-2018-16839 [CRITICAL] CWE-119 GHSA-g54v-fj63-pm34: Curl versions 7
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
OSV
CVE-2018-16839: Curl versions 7
osv·2018-10-31·CVSS 9.8
CVE-2018-16839 [CRITICAL] CVE-2018-16839: Curl versions 7
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
OSV
curl vulnerabilities
osv·2018-10-31·CVSS 9.8
CVE-2018-16839 [CRITICAL] curl vulnerabilities
curl vulnerabilities
Harry Sintonen discovered that curl incorrectly handled SASL
authentication. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-16839)
Brian Carpenter discovered that curl incorrectly handled memory when
closing certain handles. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2018-16840)
Brian Carpenter discovered that the curl command-line tool incorrectly
handled error messages. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2018-16842)
Ubuntu
curl vulnerabilities
vendor_ubuntu·2018-10-31·CVSS 4.3
CVE-2018-16839 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Harry Sintonen discovered that curl incorrectly handled SASL
authentication. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-16839)
Brian Carpenter discovered that curl incorrectly handled memory when
closing certain handles. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2018-16840)
Brian Carpenter discovered that the curl command-line tool incorrectly
handled error messages. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2018-16842)
Instructions: In general, a standard system update
Red Hat
curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
vendor_redhat·2018-10-31·CVSS 4.3
CVE-2018-16839 [MEDIUM] CWE-190 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnet21-curl (.NET Core 2.1 on Red Hat Enterprise Linux) - Out of support scope
Package: curl (Red Hat Enterprise Linux 5) - Not affected
Package: curl (Red Hat Enterprise Linux 6) - Not affected
Package: curl (Red Hat Enterprise Linux 7) - Not affected
Package: curl (Red Hat Enterprise Linux 8) - Not affected
Package: jbcs-httpd24-curl (Red Hat
Debian
CVE-2018-16839: curl - Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SA...
vendor_debian·2018·CVSS 4.3
CVE-2018-16839 [MEDIUM] CVE-2018-16839: curl - Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SA...
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
Scope: local
bookworm: resolved (fixed in 7.62.0-1)
bullseye: resolved (fixed in 7.62.0-1)
forky: resolved (fixed in 7.62.0-1)
sid: resolved (fixed in 7.62.0-1)
trixie: resolved (fixed in 7.62.0-1)
No detection rules found.
No public exploits indexed.
HackerOne
Curl_auth_create_plain_message integer overflow leads to heap buffer overflow
hackerone·2021-01-08·CVSS 4.3
CVE-2018-16839 [MEDIUM] Curl_auth_create_plain_message integer overflow leads to heap buffer overflow
Curl_auth_create_plain_message integer overflow leads to heap buffer overflow
## Summary:
There is an incorrect integer overflow check in `Curl_auth_create_plain_message` in `lib/vauth/cleartext.c` , leading to a potential heap buffer overflow of controlled length and data. The exploitation seems quite easy, yet the vulnerability can only be triggered locally and does not seem to lead to RCE.
This vulnerability is very similar to [CVE-2018-16839](https://curl.haxx.se/docs/CVE-2018-16839.html) but was introduced later in [this commit](https://github.com/curl/curl/commit/762a292f8783d73501b7d7c93949268dbb2e61b7)
## Vulnerability:
```C
zlen = (authzid == NULL ? 0 : strlen(authzid));
clen = strlen(authcid);
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
Bugzilla
CVE-2018-16839 mingw-curl: curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() [epel-7]
bugzilla·2018-10-31·CVSS 4.3
CVE-2018-16839 [MEDIUM] CVE-2018-16839 mingw-curl: curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() [epel-7]
CVE-2018-16839 mingw-curl: curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() [fedora-all]
bugzilla·2018-10-31·CVSS 4.3
CVE-2018-16839 [MEDIUM] CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() [fedora-all]
CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE:
Bugzilla
CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
bugzilla·2018-10-24·CVSS 4.3
CVE-2018-16839 [MEDIUM] CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
Curl versions 7.33.0 to 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code.
The internal function `Curl_auth_create_plain_message` fails to correctly
verify that the passed in lengths for name and password aren't too long, then
calculates a buffer size to allocate.
On systems with a 32 bit `size_t`, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes). This integer overflow usually causes a very small buffer to actually
get allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
Discussion:
Acknowledgments:
Name: the Curl project
U
http://www.securitytracker.com/id/1042012https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16839https://curl.haxx.se/docs/CVE-2018-16839.htmlhttps://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2018/11/msg00005.htmlhttps://security.gentoo.org/glsa/201903-03https://usn.ubuntu.com/3805-1/https://www.debian.org/security/2018/dsa-4331http://www.securitytracker.com/id/1042012https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16839https://curl.haxx.se/docs/CVE-2018-16839.htmlhttps://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2018/11/msg00005.htmlhttps://security.gentoo.org/glsa/201903-03https://usn.ubuntu.com/3805-1/https://www.debian.org/security/2018/dsa-4331
2018-10-31
Published