CVE-2024-6197 - OpenCVE

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Haxx	Libcurl

Configuration 1 [-]

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/07/24/1
http://www.openwall.com/lists/oss-security/2024/07/24/5
https://curl.se/docs/CVE-2024-6197.html
https://curl.se/docs/CVE-2024-6197.json
https://hackerone.com/reports/2559516
https://nvd.nist.gov/vuln/detail/CVE-2024-6197
https://www.cve.org/CVERecord?id=CVE-2024-6197

History

Mon, 26 Aug 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Haxx Haxx libcurl
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:haxx:libcurl::::::::
Vendors & Products		Haxx Haxx libcurl

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2024-07-24T07:29:50.003Z

Updated: 2024-08-01T21:33:04.981Z

Reserved: 2024-06-20T07:20:43.202Z

Link: CVE-2024-6197

Vulnrichment

Updated: 2024-08-01T21:33:04.981Z

NVD

Status : Analyzed

Published: 2024-07-24T08:15:03.340

Modified: 2024-08-26T15:25:59.960

Link: CVE-2024-6197

Redhat

Severity : Moderate

Publid Date: 2024-07-24T00:00:00Z

Links: CVE-2024-6197 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-6197", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2024-06-20T07:20:43.202Z", "datePublished": "2024-07-24T07:29:50.003Z", "dateUpdated": "2024-08-01T21:33:04.981Z"}, "containers": {"cna": {"title": "freeing stack buffer in utf8asn1str", "descriptions": [{"lang": "en", "value": "libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-24T07:29:50.003Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-590 Free of Memory not on the Heap"}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.8.0", "status": "affected", "lessThanOrEqual": "8.8.0", "versionType": "semver"}, {"version": "8.7.1", "status": "affected", "lessThanOrEqual": "8.7.1", "versionType": "semver"}, {"version": "8.7.0", "status": "affected", "lessThanOrEqual": "8.7.0", "versionType": "semver"}, {"version": "8.6.0", "status": "affected", "lessThanOrEqual": "8.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-6197.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-6197.html", "name": "www"}, {"url": "https://hackerone.com/reports/2559516", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/5"}], "credits": [{"lang": "en", "value": "z2_", "type": "finder"}, {"lang": "en", "value": "z2_", "type": "remediation developer"}]}, "adp": [{"affected": [{"vendor": "curl", "product": "curl", "cpes": ["cpe:2.3:a:curl:curl:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "8.6.0", "status": "affected", "lessThanOrEqual": "8.8.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T18:42:30.556099Z", "id": "CVE-2024-6197", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T18:44:18.885Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:04.981Z"}, "title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-6197.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-6197.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2559516", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/5", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-6197.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-6197.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2559516", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:04.981Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-6197", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T18:42:30.556099Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:curl:curl:*:*:*:*:*:*:*:*"], "vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.6.0", "versionType": "custom", "lessThanOrEqual": "8.8.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T18:44:09.592Z"}}], "cna": {"title": "freeing stack buffer in utf8asn1str", "credits": [{"lang": "en", "type": "finder", "value": "z2_"}, {"lang": "en", "type": "remediation developer", "value": "z2_"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.8.0", "versionType": "semver", "lessThanOrEqual": "8.8.0"}, {"status": "affected", "version": "8.7.1", "versionType": "semver", "lessThanOrEqual": "8.7.1"}, {"status": "affected", "version": "8.7.0", "versionType": "semver", "lessThanOrEqual": "8.7.0"}, {"status": "affected", "version": "8.6.0", "versionType": "semver", "lessThanOrEqual": "8.6.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-6197.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-6197.html", "name": "www"}, {"url": "https://hackerone.com/reports/2559516", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/5"}], "descriptions": [{"lang": "en", "value": "libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-590 Free of Memory not on the Heap"}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-24T07:29:50.003Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6197", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:33:04.981Z", "dateReserved": "2024-06-20T07:20:43.202Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2024-07-24T07:29:50.003Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D3B1F73-722A-4CD2-B1C4-830050B881D6", "versionEndExcluding": "8.9.0", "versionStartIncluding": "8.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances."}, {"lang": "es", "value": "El analizador ASN1 de libcurl tiene esta funci\u00f3n utf8asn1str() utilizada para analizar una cadena ASN.1 UTF-8. Puede detectar un campo no v\u00e1lido y devolver un error. Desafortunadamente, al hacerlo tambi\u00e9n invoca `free()` en un b\u00fafer localstack de 4 bytes. La mayor\u00eda de las implementaciones modernas de malloc detectan este error y lo abortan inmediatamente. Sin embargo, algunos aceptan el puntero de entrada y agregan esa memoria a su lista de fragmentos disponibles. Esto lleva a la sobrescritura de la memoria de stack. El contenido de la sobrescritura lo decide la implementaci\u00f3n `free()`; Es probable que sean punteros de memoria y un conjunto de banderas. El resultado m\u00e1s probable de explotar este defecto es un colapso, aunque no se puede descartar que se puedan obtener resultados m\u00e1s graves en circunstancias especiales."}], "id": "CVE-2024-6197", "lastModified": "2024-08-26T15:25:59.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-24T08:15:03.340", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/07/24/1"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/07/24/5"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2024-6197.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2024-6197.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Exploit", "Issue Tracking", "Technical Description"], "url": "https://hackerone.com/reports/2559516"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "curl: freeing stack buffer in utf8asn1str", "id": "2299653", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2299653"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-590", "details": ["libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.", "A vulnerability was found in cURL's utf8asn1str() function in the ASN1 parser, which causes a denial of service due to a memory allocation flaw. This flaw allows a remote attacker to use a specially crafted TLS certificate, causing the function to invoke free() on a 4-byte local stack buffer. While most modern malloc implementations detect and abort this error, some accept the pointer, leading to stack memory overwriting. This flaw likely results in a crash, though more serious consequences are possible in certain conditions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-6197", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-07-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-6197\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6197\nhttps://curl.se/docs/CVE-2024-6197.html\nhttps://curl.se/docs/CVE-2024-6197.json\nhttps://hackerone.com/reports/2559516"], "statement": "This vulnerability in cURL's utf8asn1str() function is classified as a moderate severity issue rather than an important one due to its specific exploitability conditions and impact. While the flaw allows a remote attacker to induce a denial of service by triggering a memory allocation flaw, the outcome is generally a crash rather than more severe consequences. Modern memory management implementations typically detect and abort such improper free() operations, mitigating the risk of arbitrary code execution or extensive memory corruption. Additionally, the requirement of a specially crafted TLS certificate to exploit this vulnerability further limits its likelihood of widespread exploitation, thereby reducing the overall severity.", "threat_severity": "Moderate"}