libcurl library contains a vulnerability that could allow an
unauthenticated, remote attacker to cause a denial of service (DoS)
condition or execute arbitrary code on the targeted system.
The vulnerability exists due to insufficient bounds checks on
user-supplied input while negotiating authentication through the POP3, SMTP
or IMAP protocols. An unauthenticated, remote attacker on a server
application could exploit the vulnerability by transmitting crafted
authentication requests with overly large length messages. Processing
such messages could cause a buffer overflow memory error. The attacker could leverage the resulting memory corruption to cause a DoS
condition or execute arbitrary code with the privileges of the
Proof-of-concept code that exploits the vulnerability is publicly available.
The vendor has confirmed the vulnerability and released software updates.
Indicators of Compromise
libcurl library versions prior to 7.29.0 are vulnerable.
The vulnerability exists because the Simple Authentication and Security
Layer (SASL) DIGEST-MD5 authentication mechanism fails to perform
sufficient bounds checks on user-supplied message lengths. While
negotiating the SASL DIGEST-MD5 authentication, the Curl_sasl_create_digest_md5_message() function could incorrectly process the authentication message length
and use it to assign buffer memory on
the local system. This may result in a buffer overflow error.
unauthenticated, remote attacker could exploit the vulnerability by
transmitting a crafted authentication message with an overly large length to a
targeted system. Successful exploitation could allow the attacker to cause a DoS condition or execute arbitrary code.
Authentication is not required to exploit the vulnerability but the attacker must have access to a server application with which to communicate and provide crafted AUTH DIGEST MD5 responses to the targeted system. This access requirement could limit the likelihood of a successful exploit.
Disabling IMAP, POP3, and SMTP with the CURLOPT_PROTOCOLS option at run-time could help mitigate the vulnerability.
Administrators are advised to apply the appropriate updates.
Administrators are advised to limit network access to trusted users.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
The vendor has released a security advisory at the following link: adv_20130206
Apple has released a security advisory at the following link: HT6011
The vendor has released software updates at the following link: libcurl 7.29.0
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.