#VU15673 Heap-based buffer overflow in libcurl - CVE-2018-16842

Cybersecurity Help s.r.o.

Published: 2018-11-01

Vulnerability identifier: #VU15673

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-16842

CWE-ID: CWE-122

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libcurl
Universal components / Libraries / Libraries used by multiple products

Vendor: curl.haxx.se

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer over-read in the tool_msgs.c:voutf() function. A remote unauthenticated attacker can specially crafted data, trigger memory corruption to read back out-of-buffer data and cause the service to crash.

Mitigation
Update to version 7.62.0.

Vulnerable software versions

libcurl: 7.14.1 - 7.61.1

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Studio on Cloud Pak for Data

Multiple vulnerabilities in IBM Flex System Chassis Management Module (CMM)

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Multiple vulnerabilities in Dell Secured Component Verification (SCV)

Multiple vulnerabilities in Dell EMC Unisphere Central

Multiple vulnerabilities in Hitachi Energy MSM Product

Red Hat update for curl

Gentoo update for cURL

Amazon Linux AMI update for curl

OpenSUSE Linux update for curl