Amazon Linux AMI update for curl

Published: 2019-01-25

Risk	High
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2018-16842 CVE-2018-16840 CVE-2018-16839
CWE-ID	CWE-122 CWE-416 CWE-190
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU15673

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-16842

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer over-read in the tool_msgs.c:voutf() function. A remote unauthenticated attacker can specially crafted data, trigger memory corruption to read back out-of-buffer data and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    libcurl-devel-7.53.1-16.86.amzn1.i686
    libcurl-7.53.1-16.86.amzn1.i686
    curl-7.53.1-16.86.amzn1.i686
    curl-debuginfo-7.53.1-16.86.amzn1.i686

src:
    curl-7.53.1-16.86.amzn1.src

x86_64:
    libcurl-7.53.1-16.86.amzn1.x86_64
    libcurl-devel-7.53.1-16.86.amzn1.x86_64
    curl-7.53.1-16.86.amzn1.x86_64
    curl-debuginfo-7.53.1-16.86.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1148.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free error

EUVDB-ID: #VU15672

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-16840

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to use-after-free error in closing an easy handle in the 'Curl_close()' function. A remote unauthenticated attacker can specially crafted data, trigger memory corruption and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    libcurl-devel-7.53.1-16.86.amzn1.i686
    libcurl-7.53.1-16.86.amzn1.i686
    curl-7.53.1-16.86.amzn1.i686
    curl-debuginfo-7.53.1-16.86.amzn1.i686

src:
    curl-7.53.1-16.86.amzn1.src

x86_64:
    libcurl-7.53.1-16.86.amzn1.x86_64
    libcurl-devel-7.53.1-16.86.amzn1.x86_64
    curl-7.53.1-16.86.amzn1.x86_64
    curl-debuginfo-7.53.1-16.86.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1148.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Integer overflow

EUVDB-ID: #VU15671

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-16839

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in processing the Curl_auth_create_plain_message name and password when handling malicious input. A remote unauthenticated attacker can send specially crafted SASL password data, trigger memory corruption and execute arbitrary code with elevated privileges. The affected function can be invoked using POP3(S), IMAP(S), or SMTP(S).

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

i686:
    libcurl-devel-7.53.1-16.86.amzn1.i686
    libcurl-7.53.1-16.86.amzn1.i686
    curl-7.53.1-16.86.amzn1.i686
    curl-debuginfo-7.53.1-16.86.amzn1.i686

src:
    curl-7.53.1-16.86.amzn1.src

x86_64:
    libcurl-7.53.1-16.86.amzn1.x86_64
    libcurl-devel-7.53.1-16.86.amzn1.x86_64
    curl-7.53.1-16.86.amzn1.x86_64
    curl-debuginfo-7.53.1-16.86.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1148.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.