CVE-2017-8816

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.57.0

Description The issue is related to the NTLM authentication feature in libcurl, which allows attackers to cause a denial of service or possibly have other impacts via vectors involving long user and password fields. This is due to a buffer overrun flaw in the NTLM authentication code. The internal function Curl ntlm core mk ntlmv2 hash calculates the storage size by summing the lengths of the username and password and multiplying by two. On 32-bit systems, this calculation can trigger an integer overflow when the combined lengths exceed 2GB, resulting in a very small buffer being allocated instead of the intended large one, leading to a buffer overrun.

Recommendations For versions prior to 7.57.0, update to version 7.57.0 or later to resolve the issue. As a temporary workaround, consider restricting the length of the username and password fields to prevent the integer overflow and buffer overrun.