CVE-2018-14618

HIGH

libcurl < 7.61.1 - Heap Buffer Overflow via NTLM Authentication Password Length

Title source: llm

Description

curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

References (11)

Core 11

Core References

Vendor Advisory x_refsource_confirm

https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf

Vendor Advisory x_refsource_confirm

https://curl.haxx.se/docs/CVE-2018-14618.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201903-03

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3765-1/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:3558

Third Party Advisory x_refsource_confirm

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4286

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1041605

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3765-2/

Issue Tracking x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1880

Scores

CVSS v3 7.5

EPSS 0.1082

EPSS Percentile 95.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-190 CWE-131 CWE-122

Status published

Products (12)

[UNKNOWN]/curl 7.61.1

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

debian/debian_linux 9.0

haxx/libcurl < 7.61.1

redhat/enterprise_linux 6.0

redhat/enterprise_linux 7.0

redhat/enterprise_linux 7.4

... and 2 more

Published Sep 05, 2018

Tracked Since Feb 18, 2026