Описание
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the free() implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
A vulnerability was found in cURL's utf8asn1str() function in the ASN1 parser, which causes a denial of service due to a memory allocation flaw. This flaw allows a remote attacker to use a specially crafted TLS certificate, causing the function to invoke free() on a 4-byte local stack buffer. While most modern malloc implementations detect and abort this error, some accept the pointer, leading to stack memory overwriting. This flaw likely results in a crash, though more serious consequences are possible in certain conditions.
Отчет
This vulnerability in cURL's utf8asn1str() function is classified as a moderate severity issue rather than an important one due to its specific exploitability conditions and impact. While the flaw allows a remote attacker to induce a denial of service by triggering a memory allocation flaw, the outcome is generally a crash rather than more severe consequences. Modern memory management implementations typically detect and abort such improper free() operations, mitigating the risk of arbitrary code execution or extensive memory corruption. Additionally, the requirement of a specially crafted TLS certificate to exploit this vulnerability further limits its likelihood of widespread exploitation, thereby reducing the overall severity. Exploitability requires: A vulnerable libcurl (8.6.0–8.8.0) Built with non-OpenSSL TLS backend (e.g., GnuTLS, wolfSSL, etc.) The program must explicitly enable CURLOPT_CERTINFO An attacker must run a malicious TLS server with malformed certificates The ASN.1 parsing must hit an invalid UniversalString, and the memory allocator must not abort on free() of a stack pointer Considering it is a very narrow, environment-specific setup, AC:H would better reflect the realistic difficulty of exploiting this.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | curl | Affected | ||
| Red Hat Enterprise Linux 6 | curl | Not affected | ||
| Red Hat Enterprise Linux 7 | curl | Not affected | ||
| Red Hat Enterprise Linux 8 | curl | Not affected | ||
| Red Hat Enterprise Linux 9 | curl | Not affected | ||
| Red Hat JBoss Core Services | curl | Affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
Hackerone: CVE-2024-6197 Freeing stack buffer in utf8asn1str
libcurl's ASN1 parser has this utf8asn1str() function used for parsing ...
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
EPSS
5.9 Medium
CVSS3