CVE-2019-3822

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

References

https://curl.haxx.se/docs/CVE-2019-3822.html

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822

https://www.debian.org/security/2019/dsa-4386

https://usn.ubuntu.com/3882-1/

http://www.securityfocus.com/bid/106950

https://security.gentoo.org/glsa/201903-03

https://security.netapp.com/advisory/ntap-20190315-0001/

https://lists.apache.org/thread.html/[email protected]%3Cdevnull.infra.apache.org%3E

https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://security.netapp.com/advisory/ntap-20190719-0004/

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://support.f5.com/csp/article/K84141449

https://support.f5.com/csp/article/K84141449?utm_source=f5support&utm_medium=RSS

https://access.redhat.com/errata/RHSA-2019:3701

Details

Source: MITRE

Published: 2019-02-06

Updated: 2021-06-15

Type: CWE-787

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:*

cpe:2.3:a:netapp:clustered_data_ontap:*:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:siemens:sinema_remote_connect_client:*:*:*:*:*:*:*:* versions up to 2.0 (inclusive)

Configuration 6

OR

cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* versions up to 5.7.26 (inclusive)

cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* versions from 5.7.27 to 8.0.15 (inclusive)

cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:services_tools_bundle:19.2:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Tenable Plugins

View all (21 total)

IDNameProductFamilySeverity
145603CentOS 8 : curl (CESA-2019:3701)NessusCentOS Local Security Checks
critical
133296Photon OS 1.0: Curl PHSA-2019-1.0-0209NessusPhotonOS Local Security Checks
critical
130568RHEL 8 : curl (RHSA-2019:3701)NessusRed Hat Local Security Checks
critical
129567Amazon Linux AMI : mysql57 (ALAS-2019-1297)NessusAmazon Linux Local Security Checks
critical
126928FreeBSD : MySQL -- Multiple vulerabilities (198e6220-ac8b-11e9-a1c7-b499baebfeaf)NessusFreeBSD Local Security Checks
critical
126783MySQL 5.7.x < 5.7.27 Multiple Vulnerabilities (Jul 2019 CPU)NessusDatabases
critical
126777Oracle Enterprise Manager Ops Center (Jul 2019 CPU)NessusMisc.
critical
124160MySQL 8.0.x < 8.0.16 Multiple Vulnerabilities (Apr 2019 CPU) (Jul 2019 CPU)NessusDatabases
critical
124156Oracle Fusion Middleware Oracle HTTP Server (Apr 2019 CPU)NessusWeb Servers
critical
122731GLSA-201903-03 : cURL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
122260Amazon Linux 2 : curl (ALAS-2019-1162)NessusAmazon Linux Local Security Checks
critical
122221openSUSE Security Update : curl (openSUSE-2019-174)NessusSuSE Local Security Checks
critical
122220openSUSE Security Update : curl (openSUSE-2019-173)NessusSuSE Local Security Checks
critical
122149SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2019:0339-1)NessusSuSE Local Security Checks
critical
122106Fedora 29 : curl (2019-43489941ff)NessusFedora Local Security Checks
critical
122042FreeBSD : curl -- multiple vulnerabilities (714b033a-2b09-11e9-8bc3-610fd6e6cd05)NessusFreeBSD Local Security Checks
critical
121639Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : curl vulnerabilities (USN-3882-1)NessusUbuntu Local Security Checks
critical
121635SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2019:0249-1)NessusSuSE Local Security Checks
critical
121632Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2019-037-01)NessusSlackware Local Security Checks
critical
121628Debian DSA-4386-1 : curl - security updateNessusDebian Local Security Checks
critical
121618SUSE SLED15 / SLES15 Security Update : curl (SUSE-SU-2019:0248-1)NessusSuSE Local Security Checks
critical