CVE-2019-17455 – CVE-2019-17455 is a critical stack-based buffer... (How to Fix)

Q: What is the severity of CVE-2019-17455?

CVE-2019-17455 has a CVSS score of 9.8 (CRITICAL). CVE-2019-17455 is a critical stack-based buffer over-read vulnerability in Libntlm versions through 1.5. It allows attackers to read beyond allocated memory boundaries when processing crafted NTLM authentication requests, potentially leading to information disclosure or remote code execution. This affects any system or application using vulnerable Libntlm libraries for NTLM authentication.

📋 TL;DR

CVE-2019-17455 is a critical stack-based buffer over-read vulnerability in Libntlm versions through 1.5. It allows attackers to read beyond allocated memory boundaries when processing crafted NTLM authentication requests, potentially leading to information disclosure or remote code execution. This affects any system or application using vulnerable Libntlm libraries for NTLM authentication.

💻 Affected Systems

Products:

Libntlm
Applications using Libntlm library

Versions: Versions through 1.5

Operating Systems: Linux, Unix-like systems, Any OS using Libntlm

Default Config Vulnerable: ⚠️ Yes

Notes: Any application linking against vulnerable Libntlm versions is affected when processing NTLM authentication.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, credential theft, or lateral movement within networks.

🟠

Likely Case

Information disclosure including memory content, potential denial of service through application crashes.

🟢

If Mitigated

Limited impact with proper network segmentation and application sandboxing, though information disclosure risk remains.

🌐 Internet-Facing: HIGH - NTLM authentication is commonly exposed in web servers, file shares, and authentication endpoints.

🏢 Internal Only: MEDIUM - Internal services using NTLM authentication remain vulnerable to internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the core NTLM authentication handling, making exploitation straightforward for attackers with network access to vulnerable services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Libntlm 1.6 and later

Vendor Advisory: https://gitlab.com/jas/libntlm/issues/2

Restart Required: Yes

Instructions:

1. Update Libntlm to version 1.6 or later using your distribution's package manager. 2. Recompile any applications statically linked to Libntlm. 3. Restart affected services using NTLM authentication.

🔧 Temporary Workarounds

Disable NTLM authentication

all

Disable NTLM authentication in favor of more secure protocols like Kerberos or modern authentication methods.

# Configuration varies by application - disable NTLM in application settings

Network segmentation

linux

Restrict access to services using NTLM authentication to trusted networks only.

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to NTLM authentication endpoints
Monitor for exploitation attempts and implement application-level firewalls or WAF rules

🔍 How to Verify

Check if Vulnerable:

Check Libntlm version: `libntlm-config --version` or `ldconfig -p | grep libntlm` and verify version is 1.5 or earlier.

Check Version:

libntlm-config --version || find /usr -name '*libntlm*' -exec strings {} \; | grep -i version

Verify Fix Applied:

Verify Libntlm version is 1.6 or later: `libntlm-config --version` should report 1.6+.

📡 Detection & Monitoring

Log Indicators:

Multiple failed NTLM authentication attempts
Application crashes or abnormal termination when processing authentication
Memory access violation errors in application logs

Network Indicators:

Unusual NTLM traffic patterns
Large or malformed NTLM authentication packets
Traffic to NTLM endpoints from unexpected sources

SIEM Query:

source="application.logs" AND ("NTLM" OR "authentication") AND ("crash" OR "segmentation fault" OR "buffer")

📊 Metadata

CVE ID: CVE-2019-17455

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: October 10, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00029.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00032.html Mailing List,Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942145 Exploit,Issue Tracking,Mailing List,Third Party Advisory
https://gitlab.com/jas/libntlm/issues/2 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00026.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BVFO3OVJPMSGIXBKNOCVOJZ3UTGZQF5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZ5YWYNOJ5HMCKAHWLTY4MXZQWJJCBI7/
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17455.html Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2019-17455 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00029.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00032.html Mailing List,Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942145 Exploit,Issue Tracking,Mailing List,Third Party Advisory
https://gitlab.com/jas/libntlm/issues/2 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00026.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BVFO3OVJPMSGIXBKNOCVOJZ3UTGZQF5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZ5YWYNOJ5HMCKAHWLTY4MXZQWJJCBI7/
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17455.html Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2019-17455 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17455, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Backports Sle by Opensuse

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Libntlm by Nongnu

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable NTLM authentication

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities