CVE-2019-3822

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhatCNA
7.1 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
haxxlibcurl
7.36.0 ≤
𝑥
< 7.64.0
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
debiandebian_linux
9.0
netappactive_iq_unified_manager
7.3 ≤
netappactive_iq_unified_manager
9.5 ≤
netappclustered_data_ontap
*
netapponcommand_insight
-
netapponcommand_workflow_automation
-
netappsnapcenter
-
siemenssinema_remote_connect_client
𝑥
≤ 2.0
oraclecommunications_operations_monitor
3.4
oraclecommunications_operations_monitor
4.0
oracleenterprise_manager_ops_center
12.3.3
oracleenterprise_manager_ops_center
12.4.0
oraclehttp_server
12.2.1.3.0
oraclemysql_server
𝑥
≤ 5.7.26
oraclemysql_server
5.7.27 ≤
𝑥
≤ 8.0.15
oraclesecure_global_desktop
5.4
oracleservices_tools_bundle
19.2
redhatenterprise_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
cosmic
Fixed 7.61.0-1ubuntu2.3
released
bionic
Fixed 7.58.0-2ubuntu3.6
released
xenial
Fixed 7.47.0-1ubuntu2.12
released
trusty
not-affected
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/106950
https://access.redhat.com/errata/RHSA-2019:3701
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822
https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
https://curl.haxx.se/docs/CVE-2019-3822.html
https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E
https://security.gentoo.org/glsa/201903-03
https://security.netapp.com/advisory/ntap-20190315-0001/
https://security.netapp.com/advisory/ntap-20190719-0004/
https://support.f5.com/csp/article/K84141449
https://support.f5.com/csp/article/K84141449?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3882-1/
https://www.debian.org/security/2019/dsa-4386
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
http://www.securityfocus.com/bid/106950
https://access.redhat.com/errata/RHSA-2019:3701
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822
https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
https://curl.haxx.se/docs/CVE-2019-3822.html
https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E
https://security.gentoo.org/glsa/201903-03
https://security.netapp.com/advisory/ntap-20190315-0001/
https://security.netapp.com/advisory/ntap-20190719-0004/
https://support.f5.com/csp/article/K84141449
https://support.f5.com/csp/article/K84141449?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3882-1/
https://www.debian.org/security/2019/dsa-4386
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html