CVE-2018-1000121

Vulnerability

A NULL pointer dereference vulnerability exists in the LDAP code of curl versions 7.21.0 through 7.58.0 [1][2][3][4]. The flaw occurs when curl processes specially crafted LDAP URL responses, leading to a crash if the returned data triggers the vulnerable code path without proper validation.

Exploitation

An attacker can exploit this vulnerability by sending a malicious LDAP URL or response to a system using curl (or libcurl) to perform LDAP operations. No authentication or special privileges are required; the attack can be conducted remotely, as the vulnerable functionality is triggered by processing the LDAP response. The attacker only needs to cause the application to make a request that results in a crafted LDAP reply.

Impact

Successful exploitation leads to a denial of service (DoS) due to the NULL pointer dereference, causing the application or service using curl to crash. This impacts availability (C) and potentially integrity (I) or confidentiality (A) if the crash disrupts normal operations. The CVSS score is moderate, as detailed in the Red Hat advisories [1][2].

Mitigation

Red Hat has released updated packages to fix this vulnerability in various software collections and base operating system versions. For Red Hat Software Collections (httpd24), the fix is included in curl 7.61.1, available via RHSA-2018:3558 [1]. For Red Hat Enterprise Linux 7, the fix is included in curl updates via RHSA-2018:3157 [2]. Additionally, later updates (RHSA-2020:0544 and RHSA-2020:0594 [3][4]) address the issue for other products. Users should apply the relevant updates as soon as possible. If patching is not immediately possible, limiting LDAP functionality or restricting network access to untrusted LDAP servers can reduce risk.