Headline
CVE-2021-44758: NULL dereference DoS in SPNEGO acceptors
Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.
Package
heimdal
Affected versions
<7.7.1
Patched versions
7.7.1, 7.8
Description
Impact
This is a denial of service vulnerability affecting server applications that use SPNEGO.
Patches
Users should upgrade to Heimdal 7.7.1 or Heimdal 7.8.
Workarounds
Disable SPNEGO in the application.
For more information
If you have any questions or comments about this advisory:
- Open an issue in [example link to repo](https://github.com/heimdal/heimdal/issues)
- Email us at [email protected]
Severity
Low
0.0
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVE ID
CVE-2021-44758
Weaknesses
No CWEs
Related news
Gentoo Linux Security Advisory 202310-6 - Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC. Versions greater than or equal to 7.8.0-r1 are affected.
Ubuntu Security Notice 5800-1 - It was discovered that Heimdal incorrectly handled certain SPNEGO tokens. A remote attacker could possibly use this issue to cause a denial of service. Evgeny Legerov discovered that Heimdal incorrectly handled memory when performing certain DES decryption operations. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Debian Linux Security Advisory 5287-1 - Several vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos.