Vulnerabilities > CVE-2018-14618 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F4D638B9E6E54DBE8C70571DBC116174.NASL description curl security problems : CVE-2018-14618: NTLM password overflow via integer overflow The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. This bug is almost identical to CVE-2017-8816. last seen 2020-06-01 modified 2020-06-02 plugin id 117305 published 2018-09-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117305 title FreeBSD : curl -- password overflow vulnerability (f4d638b9-e6e5-4dbe-8c70-571dbc116174) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(117305); script_version("1.4"); script_cvs_date("Date: 2019/08/12 17:35:38"); script_cve_id("CVE-2018-14618"); script_name(english:"FreeBSD : curl -- password overflow vulnerability (f4d638b9-e6e5-4dbe-8c70-571dbc116174)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "curl security problems : CVE-2018-14618: NTLM password overflow via integer overflow The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. This bug is almost identical to CVE-2017-8816." ); script_set_attribute( attribute:"see_also", value:"https://curl.haxx.se/docs/security.html" ); script_set_attribute( attribute:"see_also", value:"https://curl.haxx.se/docs/CVE-2018-14618.html" ); # https://vuxml.freebsd.org/freebsd/f4d638b9-e6e5-4dbe-8c70-571dbc116174.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1185b533" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-c7-curl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"curl>=7.15.4<7.61.1")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-c7-curl<7.29.0_6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1090.NASL description According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes).(CVE-2018-14618) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-26 plugin id 123103 published 2019-03-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123103 title EulerOS 2.0 SP3 : curl (EulerOS-SA-2019-1090) NASL family Fedora Local Security Checks NASL id FEDORA_2018-7F83032DE6.NASL description - fix NTLM password overflow via integer overflow (CVE-2018-14618) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120567 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120567 title Fedora 29 : curl (2018-7f83032de6) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_LINUX.NASL description An update of the linux package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122901 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122901 title Photon OS 1.0: Linux PHSA-2019-1.0-0205 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_RUBY.NASL description An update of the ruby package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122903 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122903 title Photon OS 1.0: Ruby PHSA-2019-1.0-0205 NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1008.NASL description This update for curl fixes the following issues : This security issue was fixed : - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed : - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-09-17 plugin id 117520 published 2018-09-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117520 title openSUSE Security Update : curl (openSUSE-2018-1008) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_CURL.NASL description An update of the curl package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122898 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122898 title Photon OS 1.0: Curl PHSA-2019-1.0-0205 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_ELASTICSEARCH.NASL description An update of the elasticsearch package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122899 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122899 title Photon OS 1.0: Elasticsearch PHSA-2019-1.0-0205 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1540.NASL description According to the versions of the curl packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)(CVE-2018-14618) - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage.(CVE-2018-1000122) - curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. (CVE-2018-1000301) - A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application.(CVE-2017-1000257) - It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities. (CVE-2018-1000007) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124993 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124993 title EulerOS Virtualization for ARM 64 3.0.1.0 : curl (EulerOS-SA-2019-1540) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1010.NASL description This update for curl fixes the following issues : This security issue was fixed : - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed : - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-05 modified 2018-09-17 plugin id 117521 published 2018-09-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117521 title openSUSE Security Update : curl (openSUSE-2018-1010) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0171_CURL.NASL description The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has curl packages installed that are affected by a vulnerability: - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.) (CVE-2018-14618) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 128701 published 2019-09-11 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128701 title NewStart CGSL CORE 5.05 / MAIN 5.05 : curl Vulnerability (NS-SA-2019-0171) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1021.NASL description According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes).(CVE-2018-14618) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-14 plugin id 122168 published 2019-02-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122168 title EulerOS 2.0 SP5 : curl (EulerOS-SA-2019-1021) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1237.NASL description According to the version of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)i1/4^CVE-2018-14618i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-04-04 plugin id 123705 published 2019-04-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123705 title EulerOS Virtualization 2.5.4 : curl (EulerOS-SA-2019-1237) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_SYSTEMD.NASL description An update of the systemd package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122905 published 2019-03-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122905 title Photon OS 1.0: Systemd PHSA-2019-1.0-0205 NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1498.NASL description It was discovered that there was a an integer overflow vulnerability in curl, a command line tool for transferring data over HTTP, etc. For more information, please see : <https://curl.haxx.se/docs/CVE-2018-14618.html> For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 117366 published 2018-09-10 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117366 title Debian DLA-1498-1 : curl security update NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-1880.NASL description From Red Hat Security Advisory 2019:1880 : An update for curl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * curl: NTLM password overflow via integer overflow (CVE-2018-14618) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * baseurl with file:// hangs and then timeout in yum repo (BZ#1709474) * curl crashes on http links with rate-limit (BZ#1711914) last seen 2020-06-01 modified 2020-06-02 plugin id 127604 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127604 title Oracle Linux 7 : curl (ELSA-2019-1880) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2715-1.NASL description This update for curl fixes the following issues : This security issue was fixed : CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117527 published 2018-09-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117527 title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2018:2715-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4286.NASL description Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems. See https://curl.haxx.se/docs/CVE-2018-14618.html for more information. last seen 2020-06-01 modified 2020-06-02 plugin id 117298 published 2018-09-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117298 title Debian DSA-4286-1 : curl - security update NASL family Fedora Local Security Checks NASL id FEDORA_2018-BA443BCB6D.NASL description - fix NTLM password overflow via integer overflow (CVE-2018-14618) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-09-21 plugin id 117622 published 2018-09-21 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117622 title Fedora 27 : curl (2018-ba443bcb6d) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_PARAMIKO.NASL description An update of the paramiko package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122902 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122902 title Photon OS 1.0: Paramiko PHSA-2019-1.0-0205 NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1135.NASL description curl is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816 .)(CVE-2018-14618) last seen 2020-03-28 modified 2018-12-20 plugin id 119789 published 2018-12-20 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119789 title Amazon Linux 2 : curl (ALAS-2018-1135) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-1880.NASL description An update for curl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * curl: NTLM password overflow via integer overflow (CVE-2018-14618) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * baseurl with file:// hangs and then timeout in yum repo (BZ#1709474) * curl crashes on http links with rate-limit (BZ#1711914) last seen 2020-06-01 modified 2020-06-02 plugin id 127619 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127619 title RHEL 7 : curl (RHSA-2019:1880) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-1880.NASL description An update for curl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : * curl: NTLM password overflow via integer overflow (CVE-2018-14618) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * baseurl with file:// hangs and then timeout in yum repo (BZ#1709474) * curl crashes on http links with rate-limit (BZ#1711914) last seen 2020-06-01 modified 2020-06-02 plugin id 127470 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127470 title CentOS 7 : curl (CESA-2019:1880) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201903-03.NASL description The remote host is affected by the vulnerability described in GLSA-201903-03 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 122731 published 2019-03-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122731 title GLSA-201903-03 : cURL: Multiple vulnerabilities NASL family Scientific Linux Local Security Checks NASL id SL_20190729_CURL_ON_SL7_X.NASL description The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es) : - curl: NTLM password overflow via integer overflow (CVE-2018-14618) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : - baseurl with file:// hangs and then timeout in yum repo (BZ#1709474) - curl crashes on http links with rate-limit (BZ#1711914) last seen 2020-03-18 modified 2019-08-12 plugin id 127724 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127724 title Scientific Linux Security Update : curl on SL7.x x86_64 (20190729) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0182_CURL.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has curl packages installed that are affected by a vulnerability: - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.) (CVE-2018-14618) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 129904 published 2019-10-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129904 title NewStart CGSL CORE 5.04 / MAIN 5.04 : curl Vulnerability (NS-SA-2019-0182) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-249-01.NASL description New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117325 published 2018-09-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117325 title Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2018-249-01) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-694.NASL description This update for curl fixes the following issues : This security issue was fixed : - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed : - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 123302 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123302 title openSUSE Security Update : curl (openSUSE-2019-694) NASL family Fedora Local Security Checks NASL id FEDORA_2018-111044D435.NASL description - fix NTLM password overflow via integer overflow (CVE-2018-14618) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120239 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120239 title Fedora 28 : curl (2018-111044d435) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1047.NASL description According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes).(CVE-2018-14618) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-22 plugin id 122374 published 2019-02-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122374 title EulerOS 2.0 SP2 : curl (EulerOS-SA-2019-1047) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_RUBYGEM.NASL description An update of the rubygem package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122904 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122904 title Photon OS 1.0: Rubygem PHSA-2019-1.0-0205 NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2714-1.NASL description This update for curl fixes the following issues : This security issue was fixed : CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-01-02 plugin id 120099 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120099 title SUSE SLED15 / SLES15 Security Update : curl (SUSE-SU-2018:2714-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1240.NASL description According to the version of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)i1/4^CVE-2018-14618i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-04-04 plugin id 123708 published 2019-04-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123708 title EulerOS Virtualization 2.5.3 : curl (EulerOS-SA-2019-1240) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-1_0-0205_KIBANA.NASL description An update of the kibana package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 122900 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122900 title Photon OS 1.0: Kibana PHSA-2019-1.0-0205 NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2717-1.NASL description This update for curl fixes the following issues : CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117529 published 2018-09-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117529 title SUSE SLES11 Security Update : curl (SUSE-SU-2018:2717-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1112.NASL description curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816 .)(CVE-2018-14618) last seen 2020-06-10 modified 2018-12-07 plugin id 119471 published 2018-12-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119471 title Amazon Linux AMI : curl (ALAS-2018-1112)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://www.securitytracker.com/id/1041605
- https://access.redhat.com/errata/RHSA-2018:3558
- https://access.redhat.com/errata/RHSA-2019:1880
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618
- https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
- https://curl.haxx.se/docs/CVE-2018-14618.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014
- https://security.gentoo.org/glsa/201903-03
- https://usn.ubuntu.com/3765-1/
- https://usn.ubuntu.com/3765-2/
- https://www.debian.org/security/2018/dsa-4286