CVE-2018-14618: Buffer Overflow
First published: Mon Aug 27 2018(Updated: )
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/curl | <0:7.29.0-51.el7_6.3 | 0:7.29.0-51.el7_6.3 |
| redhat/httpd24-curl | <0:7.61.1-1.el6 | 0:7.61.1-1.el6 |
| redhat/httpd24-httpd | <0:2.4.34-7.el6 | 0:2.4.34-7.el6 |
| redhat/httpd24-nghttp2 | <0:1.7.1-7.el6 | 0:1.7.1-7.el6 |
| redhat/httpd24-curl | <0:7.61.1-1.el7 | 0:7.61.1-1.el7 |
| redhat/httpd24-httpd | <0:2.4.34-7.el7 | 0:2.4.34-7.el7 |
| redhat/httpd24-nghttp2 | <0:1.7.1-7.el7 | 0:1.7.1-7.el7 |
| Haxx Libcurl | <7.61.1 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Debian Debian Linux | =9.0 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =7.4 | |
| Redhat Enterprise Linux | =7.5 | |
| Redhat Enterprise Linux | =7.6 | |
| redhat/curl | <7.61.1 | 7.61.1 |
| ubuntu/curl | <7.58.0-2ubuntu3.3 | 7.58.0-2ubuntu3.3 |
| ubuntu/curl | <7.35.0-1ubuntu2.17 | 7.35.0-1ubuntu2.17 |
| ubuntu/curl | <7.47.0-1ubuntu2.9 | 7.47.0-1ubuntu2.9 |
| debian/curl | 7.74.0-1.3+deb11u12 7.74.0-1.3+deb11u11 7.88.1-10+deb12u6 7.88.1-10+deb12u5 8.8.0-4 8.9.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2018-14618 https://nvd.nist.gov/vuln/detail/CVE-2018-14618 https://curl.haxx.se/docs/CVE-2018-14618.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1622707
- https://access.redhat.com/errata/RHBA-2020:0547
- https://access.redhat.com/errata/RHSA-2019:1880
- https://access.redhat.com/errata/RHSA-2018:3558
- https://access.redhat.com/security/cve/cve-2018-14618
- http://www.securitytracker.com/id/1041605
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618
- https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
- https://curl.haxx.se/docs/CVE-2018-14618.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014
- https://security.gentoo.org/glsa/201903-03
- https://usn.ubuntu.com/3765-1/
- https://usn.ubuntu.com/3765-2/
- https://www.debian.org/security/2018/dsa-4286
- https://launchpad.net/bugs/cve/CVE-2018-14618
- https://curl.haxx.se/docs/CVE-2018-XXXX.html
- https://access.redhat.com/security/cve/CVE-2017-8816
- https://curl.haxx.se/docs/CVE-2017-8816.html
- https://github.com/curl/curl/commit/be285cde3f
- https://curl.haxx.se/CVE-2018-bf5f.patch
- https://github.com/curl/curl/issues/2756
- https://seclists.org/oss-sec/2018/q3/217
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1625563
- https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243
- https://security-tracker.debian.org/tracker/CVE-2018-14618
- https://ubuntu.com/security/notices/USN-3765-1
- https://ubuntu.com/security/notices/USN-3765-2
- https://www.cve.org/CVERecord?id=CVE-2018-14618
- https://nvd.nist.gov/vuln/detail/CVE-2018-14618
- https://ubuntu.com/security/CVE-2018-14618
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2018-14618?
CVE-2018-14618 is a vulnerability in the NTLM authentication code of curl before version 7.61.1.
What is the severity of CVE-2018-14618?
CVE-2018-14618 has a severity value of 9.8, which is classified as critical.
How does CVE-2018-14618 affect curl?
CVE-2018-14618 affects curl versions before 7.61.1, and it is specifically related to a buffer overrun in the NTLM authentication code.
How can I fix CVE-2018-14618?
To fix CVE-2018-14618, you need to update curl to version 7.61.1 or later.
Where can I find more information about CVE-2018-14618?
You can find more information about CVE-2018-14618 on the official curl website and the Red Hat security page.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/weakness
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/last-modified-date
- agent/author
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-14618
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/haxx
- canonical/haxx libcurl
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/7.4
- version/redhat enterprise linux/7.5
- version/redhat enterprise linux/7.6
- package-manager/debian
- package-manager/ubuntu