#VU15672 Use-after-free error in libcurl - CVE-2018-16840

Cybersecurity Help s.r.o.

Published: 2018-11-01 | Updated: 2018-11-01

Vulnerability identifier: #VU15672

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-16840

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libcurl
Universal components / Libraries / Libraries used by multiple products

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to use-after-free error in closing an easy handle in the 'Curl_close()' function. A remote unauthenticated attacker can specially crafted data, trigger memory corruption and cause the service to crash.

Mitigation
Update to version 7.62.0.

Vulnerable software versions

libcurl: 7.59.0 - 7.61.1

External links
https://curl.haxx.se/docs/CVE-2018-16840.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Studio on Cloud Pak for Data

Multiple vulnerabilities in IBM Flex System Chassis Management Module (CMM)

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Multiple vulnerabilities in Dell Secured Component Verification (SCV)

Multiple vulnerabilities in Dell EMC Search

Multiple vulnerabilities in Dell EMC Unisphere Central

Gentoo update for cURL

Amazon Linux AMI update for curl

OpenSUSE Linux update for curl