7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6197

GHSA ID

GHSA-x3h8-3mf2-v794

EPSS Score

0.8682%

CWE

Published

7/24/2024

Updated

11/29/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-6197

CVE-2024-6197: libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string....

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the free() implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6197

GHSA ID

GHSA-x3h8-3mf2-v794

EPSS Score

0.8682%

CWE

Published

7/24/2024

Updated

11/29/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly names the utf8asn1str() function as the source of the issue. The problem is a free() call on a local stack buffer. I analyzed the provided commit information. The fixing commit 3a537a4db9e65e545ec45b1b5d5575ee09a2569d directly removes a free(buf); call from the utf8asn1str function in lib/vtls/x509asn1.c. The introducing commit 623c3a8fa0bdb2751f14b3741760d81910b7ec64 shows that buf within this function was refactored to be a stack-allocated array char buf[4]; under the conditions where the free() was later removed. This confirms that utf8asn1str is the vulnerable function, as it attempts to free a stack buffer under specific error conditions related to invalid UTF-8 character sizes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

li**url's *SN* p*rs*r **s t*is ut***sn*str() *un*tion us** *or p*rsin* *n *SN.* UT*-* strin*. It**n **t**t *n inv*li* *i*l* *n* r*turn *rror. Un*ortun*t*ly, w**n *oin* so it *lso invok*s `*r**()` on * * *yt* lo**lst**k *u***r. Most mo**rn m*llo* imp

Reasoning

T** vuln*r**ility **s*ription *xpli*itly n*m*s t** `ut***sn*str()` *un*tion *s t** sour** o* t** issu*. T** pro*l*m is * `*r**()` **ll on * lo**l st**k *u***r. I *n*lyz** t** provi*** *ommit in*orm*tion. T** *ixin* *ommit `***************************

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-6197: libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string....

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI