CVE-2019-3822

high-risk

Published 2019-02-06

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Do I need to act?

16.6% chance of exploitation in next 30 days

EPSS score — higher than 83% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Libcurl

Ubuntu Linux

Debian Linux

Active Iq Unified Manager

Clustered Data Ontap

Oncommand Insight

Oncommand Workflow Automation

Snapcenter

Sinema Remote Connect Client

Communications Operations Monitor

Enterprise Manager Ops Center

Http Server

Mysql Server

Secure Global Desktop

Affected Vendors

Debian Redhat Oracle Siemens Canonical Haxx Netapp

References (30)

Third Party Advisory http://www.securityfocus.com/bid/106950

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3701

Exploit https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf

Patch https://curl.haxx.se/docs/CVE-2019-3822.html

https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37f...

Third Party Advisory https://security.gentoo.org/glsa/201903-03

Patch https://security.netapp.com/advisory/ntap-20190315-0001/

Third Party Advisory https://security.netapp.com/advisory/ntap-20190719-0004/

Third Party Advisory https://support.f5.com/csp/article/K84141449

https://support.f5.com/csp/article/K84141449?utm_source=f5support&amp%3Butm_medi...

Third Party Advisory https://usn.ubuntu.com/3882-1/

Third Party Advisory https://www.debian.org/security/2019/dsa-4386

Patch https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Third Party Advisory http://www.securityfocus.com/bid/106950

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3701

Exploit https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf

Patch https://curl.haxx.se/docs/CVE-2019-3822.html

and 10 more references

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 13/34 · Low

Exposure 20/34 · Moderate