Bug 1106019 (CVE-2018-14618)

Summary: VUL-0: CVE-2018-14618: curl: NTLM password overflow via integer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: 1921267132, pmonrealgonzalez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/213341/
Whiteboard: CVSSv3:SUSE:CVE-2018-14618:5.5:(AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Upstream patch
Backported patch for SLE-12 and SLE-11-SP3
Backported patch for SLE-11-SP1

Comment 3 Marcus Meissner 2018-09-05 06:17:36 UTC
public now

NTLM password overflow via integer overflow
===========================================

Project curl Security Advisory, September 5th 2018 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-14618.html)

VULNERABILITY
-------------

libcurl contains a buffer overrun in the NTLM authentication code.

The internal function `Curl_ntlm_core_mk_nt_hash` multiplies the `length` of
the password by two (SUM) to figure out how large temporary storage area to
allocate from the heap.

The `length` value is then subsequently used to iterate over the password and
generate output into the allocated storage buffer. On systems with a 32 bit
`size_t`, the math to calculate SUM triggers an integer overflow when the
password length exceeds 2GB (2^31 bytes). This integer overflow usually causes
a very small buffer to actually get allocated instead of the intended very
huge one, making the use of that buffer end up in a heap buffer overflow.

(This bug is almost identical to
[CVE-2017-8816](https://curl.haxx.se/docs/CVE-2017-8816.html).)

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in commit
[be285cde3f](https://github.com/curl/curl/commit/be285cde3f), April 2006.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-14618 to this issue.

CWE-131: Incorrect Calculation of Buffer Size

AFFECTED VERSIONS
-----------------

This issue is only present on 32 bit systems. It also requires the password
field to use more than 2GB of memory, which should be rare.

- Affected versions: libcurl 7.15.4 to and including 7.61.0
- Not affected versions: libcurl < 7.15.4 and >= 7.61.1

curl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In libcurl version 7.61.1, the integer overflow is avoided.

A [patch for
CVE-2018-14618](https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch)
is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.61.1

  B - Apply the patch to your version and rebuild

  C - Put length restrictions on the password you can pass to libcurl

TIME LINE
---------

It was [publicly reported](https://github.com/curl/curl/issues/2756) to the
curl project on July 18, 2018.  We contacted distros@openwall on August 27.

curl 7.61.1 was released on September 5 2018, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Zhaoyang Wu. Patch by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
Comment 4 Pedro Monreal Gonzalez 2018-09-05 08:40:25 UTC
Packages submitted:

Factory          7.61.0       Updated to version 7.61.1         sr#633271
SLE-12           7.37.0       curl-7.37.0-CVE-2018-14618.patch  sr#171461
SLE-11-SP3       7.37.0       curl-7.37.0-CVE-2018-14618.patch  sr#171463
SLE-11-SP1       7.19.7       curl-7.19.7-CVE-2018-14618.patch  sr#171464
SLE-10-SP3       7.15.1       Not affected
Comment 5 Pedro Monreal Gonzalez 2018-09-05 10:34:53 UTC
Submitted also to:

SUSE:SLE-15:Update 7.60.0  curl-CVE-2018-14618.patch  sr#171488
SUSE:SLE-12-SP4:GA 7.60.0  curl-CVE-2018-14618.patch  sr#171489
Comment 6 Pedro Monreal Gonzalez 2018-09-05 10:38:37 UTC
Created attachment 782011 [details]
Upstream patch

For version curl-7.60.0 in SLE-15:Update and SLE-12-SP4:GA.
Comment 7 Pedro Monreal Gonzalez 2018-09-05 10:41:14 UTC
Created attachment 782012 [details]
Backported patch for SLE-12 and SLE-11-SP3
Comment 8 Pedro Monreal Gonzalez 2018-09-05 10:41:59 UTC
Created attachment 782014 [details]
Backported patch for SLE-11-SP1
Comment 10 Swamp Workflow Management 2018-09-05 12:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (1106019) was mentioned in
https://build.opensuse.org/request/show/633462 42.3 / curl
Comment 11 Swamp Workflow Management 2018-09-05 19:08:19 UTC
SUSE-SU-2018:2629-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1084521,1101811,1106019
CVE References: CVE-2018-1000120,CVE-2018-14618
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.53.16.1
Comment 13 Swamp Workflow Management 2018-09-14 16:10:04 UTC
SUSE-SU-2018:2714-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1086367,1106019
CVE References: CVE-2018-14618
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    curl-7.60.0-3.9.1
Comment 14 Swamp Workflow Management 2018-09-14 16:10:46 UTC
SUSE-SU-2018:2715-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1089533,1106019
CVE References: CVE-2018-14618
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.26.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.26.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.26.1
SUSE CaaS Platform ALL (src):    curl-7.37.0-37.26.1
SUSE CaaS Platform 3.0 (src):    curl-7.37.0-37.26.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.26.1
Comment 15 Swamp Workflow Management 2018-09-14 16:14:03 UTC
SUSE-SU-2018:2717-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1106019
CVE References: CVE-2018-14618
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.37.0-70.33.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.37.0-70.33.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.37.0-70.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.37.0-70.33.1
Comment 16 Swamp Workflow Management 2018-09-15 13:12:52 UTC
openSUSE-SU-2018:2731-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1086367,1106019
CVE References: CVE-2018-14618
Sources used:
openSUSE Leap 15.0 (src):    curl-7.60.0-lp150.2.12.1, curl-mini-7.60.0-lp150.2.12.1
Comment 17 Swamp Workflow Management 2018-09-15 13:15:25 UTC
openSUSE-SU-2018:2736-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1089533,1106019
CVE References: CVE-2018-14618
Sources used:
openSUSE Leap 42.3 (src):    curl-7.37.0-39.1
Comment 18 Marcus Meissner 2018-11-09 06:40:28 UTC
done