Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-9FB4E57B-D65A-11E9-8A5F-E5C82B486287 (CVE-2019-5481): curl -- multiple vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-9FB4E57B-D65A-11E9-8A5F-E5C82B486287 (CVE-2019-5481): curl -- multiple vulnerabilities

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
09/11/2019
Created
09/17/2019
Added
09/15/2019
Modified
09/20/2019

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-9FB4E57B-D65A-11E9-8A5F-E5C82B486287:

curl security problems:

CVE-2019-5481: FTP-KRB double-free

libcurl can be told to use kerberos over FTP to a server, as set with

the CURLOPT_KRBLEVEL option.

During such kerberos FTP data transfer, the server sends data to curl

in blocks with the 32 bit size of each block first and then that amount

of data immediately following.

A malicious or just broken server can claim to send a very large block

and if by doing that it makes curl's subsequent call to realloc() to

fail, curl would then misbehave in the exit path and double-free the

memory.

In practical terms, an up to 4 GB memory area may very well be fine to

allocate on a modern 64 bit system but on 32 bit systems it will fail.

Kerberos FTP is a rarely used protocol with curl. Also, Kerberos

authentication is usually only attempted and used with servers that the

client has a previous association with.

CVE-2019-5482: TFTP small blocksize heap buffer overflow

libcurl contains a heap buffer overflow in the function

(tftp_receive_packet()) that receives data from a TFTP server. It can

call recvfrom() with the default size for the buffer rather than with

the size that was used to allocate it. Thus, the content that might

overwrite the heap memory is controlled by the server.

This flaw is only triggered if the TFTP server sends an OACK without

the BLKSIZE option, when a BLKSIZE smaller than 512 bytes was requested

by the TFTP client. OACK is a TFTP extension and is not used by all

TFTP servers.

Users choosing a smaller block size than default should be rare as the

primary use case for changing the size is to make it larger.

It is rare for users to use TFTP across the Internet. It is most

commonly used within local networks. TFTP as a protocol is always

inherently insecure.

This issue was introduced by the add of the TFTP BLKSIZE option

handling. It was previously incompletely fixed by an almost identical

issue called CVE-2019-5436.

Solution(s)

  • freebsd-upgrade-package-curl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;