CVE-2017-8816: Integer Overflow

Q: What is CVE-2017-8816?

CVE-2017-8816 is a vulnerability in curl that allows attackers to cause a denial of service or have unspecified impact by exploiting an integer overflow and resultant buffer overflow.

Q: How severe is CVE-2017-8816?

CVE-2017-8816 is considered critical with a severity rating of 9.8.

Q: Which software versions are affected by CVE-2017-8816?

curl and libcurl versions before 7.57.0 on 32-bit platforms are affected by CVE-2017-8816.

Q: How can I fix CVE-2017-8816?

To fix CVE-2017-8816, update curl and libcurl to version 7.57.0 or later.

Q: Where can I find more information about CVE-2017-8816?

More information about CVE-2017-8816 can be found in the references: [link 1](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1356597&action=diff), [link 2](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1356597&action=edit), [link 3](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1356599&action=diff).

Published Nov 21, 2017

Updated

curl. An integer overflow existed in curl. This issue was addressed with improved bounds checking.

Other sources

libcurl contains a buffer overrun flaw in the NTLM authentication code.

The internal function Curlntlmcoremkntlmv2hash sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap.

The SUM value is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit sizet, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun.

This is only an issue on 32 bit systems. It also requires the user and password fields to use more than 2GB of memory combined, which in itself should be rare.

- Affected versions: libcurl 7.36.0 to and including 7.56.1 - Not affected versions: libcurl < 7.36.0 and >= 7.57.0

— Red Hat

The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.

Credit

Alex Nichols

Affected Software

15 affected componentsFixes available

redhat/httpd24-curl<0:7.61.1-1.el6

0:7.61.1-1.el6

redhat/httpd24-httpd<0:2.4.34-7.el6

0:2.4.34-7.el6

redhat/httpd24-nghttp2<0:1.7.1-7.el6

0:1.7.1-7.el6

redhat/httpd24-curl<0:7.61.1-1.el7

0:7.61.1-1.el7

redhat/httpd24-httpd<0:2.4.34-7.el7

0:2.4.34-7.el7

redhat/httpd24-nghttp2<0:1.7.1-7.el7

0:1.7.1-7.el7

debian/curl

7.64.0-4+deb10u27.64.0-4+deb10u77.74.0-1.3+deb11u97.74.0-1.3+deb11u107.88.1-10+deb12u37.88.1-10+deb12u48.4.0-2

redhat/curl<7.57.0

7.57.0

Apple macOS High Sierra<10.13.4

10.13.4

Apple Sierra

Apple El Capitan

haxx curl>7.36.0<=7.56.1

haxx libcurl>=7.36.0<=7.56.1

Debian Debian Linux=8.0

Debian Debian Linux=9.0

Event History

Nov 29, 2017

CVE Published

12:00 AM

CVE Published

via MITRE·06:00 PM

Data Sourced

via MITRE·06:00 PM

DescriptionWeakness

Data Sourced

via NVD·06:29 PM

DescriptionSeverityWeaknessAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2017-8816?

CVE-2017-8816 is a vulnerability in curl that allows attackers to cause a denial of service or have unspecified impact by exploiting an integer overflow and resultant buffer overflow.

How severe is CVE-2017-8816?

CVE-2017-8816 is considered critical with a severity rating of 9.8.

Which software versions are affected by CVE-2017-8816?

curl and libcurl versions before 7.57.0 on 32-bit platforms are affected by CVE-2017-8816.

How can I fix CVE-2017-8816?