CVE-2019-3822

Vulnerability

A stack-based buffer overflow exists in lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message() in libcurl versions 7.36.0 through 7.63.0 [4]. The function constructs an NTLM type-3 HTTP header based on data from a previous NTLMv2 type-2 response. The bounds check intended to prevent overflow uses unsigned arithmetic incorrectly, so it fails when the nt response field exceeds approximately 1000 bytes. This allows a malicious or broken HTTP server to supply a crafted type-2 header that causes the type-3 output to overflow the local stack buffer [4].

Exploitation

An attacker must control an HTTP server that the victim's libcurl-based client connects to and that negotiates NTLM authentication (e.g., via --ntlm or automatic selection). No prior authentication is required. The attacker sends a crafted NTLMv2 type-2 response containing a large nt response value (≥1000 bytes). When libcurl processes this response to generate the type-3 header, the flawed unsigned check allows copying more data than the allocated stack buffer, triggering the overflow [2][4].

Impact

Successful exploitation can cause a stack buffer overflow, leading to a denial of service (crash) or potentially arbitrary code execution with the privileges of the process using libcurl [3][4]. The impact is rated High (CVSS 8.8) [4].

Mitigation

The vulnerability is fixed in curl version 7.64.0, released on February 6, 2019 [4]. Users should upgrade to this version or apply the provided patch. As a workaround, disable NTLM authentication entirely. Red Hat Enterprise Linux 8 ships with the fixed version curl-7.61.1-11.el8 [1]. Ubuntu 16.04 LTS, 18.04 LTS, and 18.10 received updates via USN-3882-1 [3]. No workaround other than disabling NTLM is available for unpatched installations.