CVE-2018-16890

Vulnerability

A heap buffer out-of-bounds read vulnerability exists in the ntlm_decode_type2_target function in lib/vauth/ntlm.c of libcurl, affecting versions from 7.36.0 to 7.63.0 inclusive [1][4]. The function does not properly validate incoming NTLM type-2 message fields, leading to an integer overflow when computing a length-plus-offset value [3][4]. This allows a malicious or broken NTLM server to supply a crafted length and offset combination that causes libcurl to read beyond the bounds of an allocated heap buffer [3][4].

Exploitation

An attacker must control an NTLM server that the libcurl client communicates with, or be in a position to spoof NTLM type-2 responses (e.g., via a man-in-the-middle attack). No authentication is required from the client side other than initiating an NTLM-authenticated connection [3][4]. The attacker sends a specially crafted type-2 message containing a manipulated length and offset pair; libcurl's flawed decoding then attempts to copy data using that corrupt offset, triggering the out-of-bounds read [3][4].

Impact

Successful exploitation results in a heap buffer out-of-bounds read, which can cause libcurl to crash (denial of service) or to disclose sensitive memory contents to the attacker [2][4]. The advisory notes the severity as Medium [4] and the Ubuntu security notice also mentions the possibility of arbitrary code execution when combined with NTLMv2 (CVE-2019-3822), but for this specific CVE the impact is limited to information disclosure and denial of service [2].

Mitigation

Fixed in curl version 7.64.0, released on February 6, 2019 [4]. Users should upgrade to 7.64.0 or later. Patches are available for individual application [4]. If upgrade is not immediately possible, turn off NTLM authentication as a workaround [3][4]. Red Hat Enterprise Linux 5, 6, and 7 are not affected because they do not support NTLMv2 type-2 headers [3].