Vulnerability Details CVE-2018-16890
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 78.1%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 5.0
References
- http://www.securityfocus.com/bid/106947
- https://access.redhat.com/errata/RHSA-2019:3701
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890
- https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
- https://curl.haxx.se/docs/CVE-2018-16890.html
- https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190315-0001/
- https://support.f5.com/csp/article/K03314397?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/3882-1/
- https://www.debian.org/security/2019/dsa-4386
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://www.securityfocus.com/bid/106947
- https://access.redhat.com/errata/RHSA-2019:3701
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890
- https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
- https://curl.haxx.se/docs/CVE-2018-16890.html
- https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190315-0001/
- https://support.f5.com/csp/article/K03314397?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/3882-1/
- https://www.debian.org/security/2019/dsa-4386
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Products affected by CVE-2018-16890
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.6
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.7
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.0.8
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.1.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.1.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.1.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.1.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.1.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.0.0
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.0.0.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.0.0.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.0.0.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.0.0.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.0.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.0.1.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.2.0.45.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.2.0.62.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.3.0.79.6
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.3.0.97.6
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.3.0.99.6
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.5.0.15.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.5.0.36.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.5.0.40.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.6
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.6.0.11.9
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.6.0.14.9
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.6.0.68.9
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.0.6.0.70.9
-
cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.0.0
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.0.1
-
cpe:2.3:a:haxx:libcurl:7.36.0
-
cpe:2.3:a:haxx:libcurl:7.37.0
-
cpe:2.3:a:haxx:libcurl:7.37.1
-
cpe:2.3:a:haxx:libcurl:7.38.0
-
cpe:2.3:a:haxx:libcurl:7.39
-
cpe:2.3:a:haxx:libcurl:7.39.0
-
cpe:2.3:a:haxx:libcurl:7.40.0
-
cpe:2.3:a:haxx:libcurl:7.41.0
-
cpe:2.3:a:haxx:libcurl:7.42
-
cpe:2.3:a:haxx:libcurl:7.42.0
-
cpe:2.3:a:haxx:libcurl:7.42.1
-
cpe:2.3:a:haxx:libcurl:7.43.0
-
cpe:2.3:a:haxx:libcurl:7.44.0
-
cpe:2.3:a:haxx:libcurl:7.45.0
-
cpe:2.3:a:haxx:libcurl:7.46.0
-
cpe:2.3:a:haxx:libcurl:7.47.0
-
cpe:2.3:a:haxx:libcurl:7.47.1
-
cpe:2.3:a:haxx:libcurl:7.48.0
-
cpe:2.3:a:haxx:libcurl:7.49.0
-
cpe:2.3:a:haxx:libcurl:7.49.1
-
cpe:2.3:a:haxx:libcurl:7.50.0
-
cpe:2.3:a:haxx:libcurl:7.50.1
-
cpe:2.3:a:haxx:libcurl:7.50.2
-
cpe:2.3:a:haxx:libcurl:7.50.3
-
cpe:2.3:a:haxx:libcurl:7.51.0
-
cpe:2.3:a:haxx:libcurl:7.52.0
-
cpe:2.3:a:haxx:libcurl:7.52.1
-
cpe:2.3:a:haxx:libcurl:7.53.0
-
cpe:2.3:a:haxx:libcurl:7.53.1
-
cpe:2.3:a:haxx:libcurl:7.54.0
-
cpe:2.3:a:haxx:libcurl:7.54.1
-
cpe:2.3:a:haxx:libcurl:7.55.0
-
cpe:2.3:a:haxx:libcurl:7.55.1
-
cpe:2.3:a:haxx:libcurl:7.56.0
-
cpe:2.3:a:haxx:libcurl:7.56.1
-
cpe:2.3:a:haxx:libcurl:7.57.0
-
cpe:2.3:a:haxx:libcurl:7.58.0
-
cpe:2.3:a:haxx:libcurl:7.59.0
-
cpe:2.3:a:haxx:libcurl:7.60.0
-
cpe:2.3:a:haxx:libcurl:7.61.0
-
cpe:2.3:a:haxx:libcurl:7.61.1
-
cpe:2.3:a:haxx:libcurl:7.62.0
-
cpe:2.3:a:haxx:libcurl:7.63.0
-
cpe:2.3:a:oracle:communications_operations_monitor:3.4
-
cpe:2.3:a:oracle:communications_operations_monitor:4.0
-
cpe:2.3:a:oracle:http_server:12.2.1.3.0
-
cpe:2.3:a:oracle:secure_global_desktop:5.4
-
cpe:2.3:a:siemens:sinema_remote_connect_client:-
-
cpe:2.3:a:siemens:sinema_remote_connect_client:1.0
-
cpe:2.3:a:siemens:sinema_remote_connect_client:1.3
-
cpe:2.3:a:siemens:sinema_remote_connect_client:2.0
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.10
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:netapp:clustered_data_ontap:-
-
cpe:2.3:o:netapp:clustered_data_ontap:8.2
-
cpe:2.3:o:netapp:clustered_data_ontap:8.3
-
cpe:2.3:o:netapp:clustered_data_ontap:9.0
-
cpe:2.3:o:netapp:clustered_data_ontap:9.1
-
cpe:2.3:o:netapp:clustered_data_ontap:9.10.0
-
cpe:2.3:o:netapp:clustered_data_ontap:9.10.1
-
cpe:2.3:o:netapp:clustered_data_ontap:9.11.1
-
cpe:2.3:o:netapp:clustered_data_ontap:9.12.0
-
cpe:2.3:o:netapp:clustered_data_ontap:9.12.1
-
cpe:2.3:o:netapp:clustered_data_ontap:9.13.0
-
cpe:2.3:o:netapp:clustered_data_ontap:9.13.1
-
cpe:2.3:o:netapp:clustered_data_ontap:9.14.0
-
cpe:2.3:o:netapp:clustered_data_ontap:9.2
-
cpe:2.3:o:netapp:clustered_data_ontap:9.3
-
cpe:2.3:o:netapp:clustered_data_ontap:9.4
-
cpe:2.3:o:netapp:clustered_data_ontap:9.5
-
cpe:2.3:o:netapp:clustered_data_ontap:9.6
-
cpe:2.3:o:netapp:clustered_data_ontap:9.7
-
cpe:2.3:o:netapp:clustered_data_ontap:9.8
-
cpe:2.3:o:netapp:clustered_data_ontap:9.9.1
-
cpe:2.3:o:redhat:enterprise_linux:8.0