CVE-2019-3822

CRITICAL

libcurl 7.36.0-7.63.0 - Stack-based Buffer Overflow in NTLM Type-3 Header Generation

Title source: llm

Description

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

References (15)

Core 15

Core References

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201903-03

Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4386

Patch, Vendor Advisory x_refsource_misc

https://curl.haxx.se/docs/CVE-2019-3822.html

Patch, Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20190315-0001/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3882-1/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106950

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E

Third Party Advisory x_refsource_confirm

https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20190719-0004/

Third Party Advisory x_refsource_confirm

https://support.f5.com/csp/article/K84141449

Vendor Advisory x_refsource_confirm

https://support.f5.com/csp/article/K84141449?utm_source=f5support&amp%3Butm_medium=RSS

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:3701

Scores

CVSS v3 9.8

EPSS 0.1789

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-121 CWE-787

Status published

Products (23)

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 18.10

debian/debian_linux 9.0

haxx/libcurl 7.36.0 - 7.64.0

netapp/active_iq_unified_manager 7.3

netapp/active_iq_unified_manager 9.5

netapp/clustered_data_ontap

netapp/oncommand_insight

... and 13 more

Published Feb 06, 2019

Tracked Since Feb 18, 2026