CVE-2019-3822

Name of the Vulnerable Software and Affected Versions libcurl versions 7.36.0 through 7.64.0 MySQL Server versions 5.7.26 and earlier MySQL Server versions 8.0.15 and earlier

Description The issue is caused by a stack-based buffer overflow in the function Curl auth create ntlm type3 message(), which generates the outgoing NTLM type-3 header. This function creates the request HTTP header contents based on previously received data. The check to prevent the local buffer from getting overflowed is implemented wrongly, using unsigned math, and does not prevent the overflow. The output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by a malicious or broken HTTP server. Such large response data needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Recommendations For libcurl versions 7.36.0 through 7.64.0, consider disabling the Curl auth create ntlm type3 message() function until a patch is available. For MySQL Server versions 5.7.26 and earlier, update to a version later than 5.7.26. For MySQL Server versions 8.0.15 and earlier, update to a version later than 8.0.15. As a temporary workaround, restrict access to the NTLMv2 type-2 response header to minimize the risk of exploitation.