CVE-2019-5481
📋 TL;DR
CVE-2019-5481 is a double-free vulnerability in cURL's FTP-kerberos code that allows remote attackers to execute arbitrary code or cause denial of service. It affects cURL versions 7.52.0 through 7.65.3 when using FTP with Kerberos authentication. Systems using vulnerable cURL libraries or applications that link to them are at risk.
💻 Affected Systems
- cURL
- libcurl
- applications using libcurl
📦 What is this software?
Communications Operations Monitor by Oracle
Communications Operations Monitor by Oracle
Communications Operations Monitor by Oracle
Communications Operations Monitor by Oracle
Communications Operations Monitor by Oracle
Communications Session Border Controller by Oracle
View all CVEs affecting Communications Session Border Controller →
Communications Session Border Controller by Oracle
View all CVEs affecting Communications Session Border Controller →
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.
Likely Case
Application crash causing denial of service, potentially leading to service disruption.
If Mitigated
Limited impact with proper network segmentation and minimal exposure of vulnerable systems.
🎯 Exploit Status
Exploitation requires triggering the double-free condition through crafted FTP responses during Kerberos authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: cURL 7.66.0
Vendor Advisory: https://curl.haxx.se/docs/CVE-2019-5481.html
Restart Required: Yes
Instructions:
1. Update cURL to version 7.66.0 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade curl' (Debian/Ubuntu) or 'sudo yum update curl' (RHEL/CentOS). 3. Recompile applications using libcurl if statically linked. 4. Restart affected services.
🔧 Temporary Workarounds
Disable FTP Kerberos
allDisable Kerberos authentication for FTP operations in cURL configurations.
curl --disable ftp-kerberos
Network Restriction
allBlock FTP connections to untrusted servers at firewall level.
🧯 If You Can't Patch
- Disable FTP protocol usage entirely in affected applications
- Implement strict network segmentation to isolate systems using vulnerable cURL versions
🔍 How to Verify
Check if Vulnerable:
Check cURL version: 'curl --version'. If version is between 7.52.0 and 7.65.3 inclusive, system is vulnerable if using FTP with Kerberos.Check Version:
curl --version | head -1Verify Fix Applied:
Verify cURL version is 7.66.0 or later: 'curl --version | head -1'. Test FTP with Kerberos functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Multiple free() calls on same memory address in cURL logs
- Application crashes during FTP Kerberos authentication
- Unexpected memory allocation patterns
Network Indicators:
- FTP connections to unexpected servers
- Unusual FTP authentication attempts with Kerberos
SIEM Query:
source="*curl*" AND ("double free" OR "FTP" AND "kerberos")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html
- https://curl.haxx.se/docs/CVE-2019-5481.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/
- https://seclists.org/bugtraq/2020/Feb/36
- https://security.gentoo.org/glsa/202003-29
- https://security.netapp.com/advisory/ntap-20191004-0003/
- https://www.debian.org/security/2020/dsa-4633
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html
- https://curl.haxx.se/docs/CVE-2019-5481.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/
- https://seclists.org/bugtraq/2020/Feb/36
- https://security.gentoo.org/glsa/202003-29
- https://security.netapp.com/advisory/ntap-20191004-0003/
- https://www.debian.org/security/2020/dsa-4633
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
