Heap-based buffer over-read in curl (Alpine package)



Published: 2018-05-16
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-1000301
CWE-ID CWE-126
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
curl (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Heap-based buffer over-read

EUVDB-ID: #VU12800

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000301

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information and cause DoS condition on the target system.

The weakness exists due to heap-based buffer over-read. When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately and to find the end of the headers that signal the start of the "body" part. The function that splits up the response into headers is called Curl_http_readwrite_headers() and in situations where it can't find a single header in the buffer, it might end up leaving a pointer pointing into the buffer instead of to the start of the buffer which then later on may lead to an out of buffer read when code assumes that pointer points to a full buffer size worth of memory to use. A remote attacker can gain access to potentially sensitive information and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

curl (Alpine package): 7.59.0-r0 - 7.59.0-r1

CPE2.3 External links

http://git.alpinelinux.org/aports/commit/?id=201bea07cf7afc2a3cae3e5f5aa927a1c1a66c14
http://git.alpinelinux.org/aports/commit/?id=0a8c160f5bfb61a52f6baa67dd5ce1e6b72038ae
http://git.alpinelinux.org/aports/commit/?id=1acc8d384b7bbc2890a59f59ab217ef2918ed6db
http://git.alpinelinux.org/aports/commit/?id=4cf78dce7e8795b6066bcfcac60143bd68d87bfb
http://git.alpinelinux.org/aports/commit/?id=816ad945de1a845d5a3f498f361c5ec1f1fdf632
http://git.alpinelinux.org/aports/commit/?id=81f97eef6dbd21c460ec2d7791d4c4fd5b8a7d1c


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###