CVE-2024-6197

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/07/24/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/24/5	Mailing List Third Party Advisory
https://curl.se/docs/CVE-2024-6197.html	Vendor Advisory
https://curl.se/docs/CVE-2024-6197.json	Vendor Advisory
https://hackerone.com/reports/2559516	Exploit Issue Tracking Technical Description
http://www.openwall.com/lists/oss-security/2024/07/24/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/24/5	Mailing List Third Party Advisory
https://curl.se/docs/CVE-2024-6197.html	Vendor Advisory
https://curl.se/docs/CVE-2024-6197.json	Vendor Advisory
https://hackerone.com/reports/2559516	Exploit Issue Tracking Technical Description
https://security.netapp.com/advisory/ntap-20241129-0008/

Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-07-24 08:15

Updated : 2024-11-29 12:15

NVD link : CVE-2024-6197

Mitre link : CVE-2024-6197

CVE.ORG link : CVE-2024-6197

JSON object : View

Products Affected

haxx

libcurl

CWE

NVD-CWE-Other

{"id": "CVE-2024-6197", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-07-24T08:15:03.340", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/07/24/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://curl.se/docs/CVE-2024-6197.html", "tags": ["Vendor Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://curl.se/docs/CVE-2024-6197.json", "tags": ["Vendor Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://hackerone.com/reports/2559516", "tags": ["Exploit", "Issue Tracking", "Technical Description"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://curl.se/docs/CVE-2024-6197.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://curl.se/docs/CVE-2024-6197.json", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2559516", "tags": ["Exploit", "Issue Tracking", "Technical Description"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20241129-0008/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances."}, {"lang": "es", "value": "El analizador ASN1 de libcurl tiene esta funci\u00f3n utf8asn1str() utilizada para analizar una cadena ASN.1 UTF-8. Puede detectar un campo no v\u00e1lido y devolver un error. Desafortunadamente, al hacerlo tambi\u00e9n invoca `free()` en un b\u00fafer localstack de 4 bytes. La mayor\u00eda de las implementaciones modernas de malloc detectan este error y lo abortan inmediatamente. Sin embargo, algunos aceptan el puntero de entrada y agregan esa memoria a su lista de fragmentos disponibles. Esto lleva a la sobrescritura de la memoria de stack. El contenido de la sobrescritura lo decide la implementaci\u00f3n `free()`; Es probable que sean punteros de memoria y un conjunto de banderas. El resultado m\u00e1s probable de explotar este defecto es un colapso, aunque no se puede descartar que se puedan obtener resultados m\u00e1s graves en circunstancias especiales."}], "lastModified": "2024-11-29T12:15:08.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D3B1F73-722A-4CD2-B1C4-830050B881D6", "versionEndExcluding": "8.9.0", "versionStartIncluding": "8.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9"}