Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-3097-01

Red Hat Security Advisory 2023-3097-01 - The gssntlmssp is a GSSAPI NTLM mechanism that allows to perform NTLM authentication in GSSAPI programs. Issues addressed include memory leak and out of bounds read vulnerabilities.

Packet Storm
#vulnerability#linux#red_hat#js#auth#sap

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: gssntlmssp security update
Advisory ID: RHSA-2023:3097-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3097
Issue date: 2023-05-16
CVE Names: CVE-2023-25563 CVE-2023-25564 CVE-2023-25565
CVE-2023-25566 CVE-2023-25567
====================================================================

  1. Summary:

An update for gssntlmssp is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

  1. Description:

The gssntlmssp is a GSSAPI NTLM mechanism that allows to perform NTLM
authentication in GSSAPI programs.

Security Fix(es):

  • gssntlmssp: multiple out-of-bounds read when decoding NTLM fields
    (CVE-2023-25563)

  • gssntlmssp: memory corruption when decoding UTF16 strings
    (CVE-2023-25564)

  • gssntlmssp: incorrect free when decoding target information
    (CVE-2023-25565)

  • gssntlmssp: memory leak when parsing usernames (CVE-2023-25566)

  • gssntlmssp: out-of-bounds read when decoding target information
    (CVE-2023-25567)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2172019 - CVE-2023-25563 gssntlmssp: multiple out-of-bounds read when decoding NTLM fields
2172020 - CVE-2023-25564 gssntlmssp: memory corruption when decoding UTF16 strings
2172021 - CVE-2023-25565 gssntlmssp: incorrect free when decoding target information
2172022 - CVE-2023-25566 gssntlmssp: memory leak when parsing usernames
2172023 - CVE-2023-25567 gssntlmssp: out-of-bounds read when decoding target information

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
gssntlmssp-1.2.0-1.el8_8.src.rpm

aarch64:
gssntlmssp-1.2.0-1.el8_8.aarch64.rpm
gssntlmssp-debuginfo-1.2.0-1.el8_8.aarch64.rpm
gssntlmssp-debugsource-1.2.0-1.el8_8.aarch64.rpm

ppc64le:
gssntlmssp-1.2.0-1.el8_8.ppc64le.rpm
gssntlmssp-debuginfo-1.2.0-1.el8_8.ppc64le.rpm
gssntlmssp-debugsource-1.2.0-1.el8_8.ppc64le.rpm

s390x:
gssntlmssp-1.2.0-1.el8_8.s390x.rpm
gssntlmssp-debuginfo-1.2.0-1.el8_8.s390x.rpm
gssntlmssp-debugsource-1.2.0-1.el8_8.s390x.rpm

x86_64:
gssntlmssp-1.2.0-1.el8_8.x86_64.rpm
gssntlmssp-debuginfo-1.2.0-1.el8_8.x86_64.rpm
gssntlmssp-debugsource-1.2.0-1.el8_8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2023-25563
https://access.redhat.com/security/cve/CVE-2023-25564
https://access.redhat.com/security/cve/CVE-2023-25565
https://access.redhat.com/security/cve/CVE-2023-25566
https://access.redhat.com/security/cve/CVE-2023-25567
https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZGNwpNzjgjWX9erEAQjhaA//fxlq/Nag7VoFfE1Y5XCdKkIvvZzUZyBu
AuzLCsBmfy9IFUIDHcS/EXiLDD56l045V7jstindFbCJGyyh/HGCgV2pXTG4VZYc
hAGGI2jqAvIKMfuSPfS4iP3u6iWBE8HIalfFzlfgKKn/mLU+EUNhsc+Vld4D9/qx
XuyckvMP/OqhIdN7q5hzYRYWBpnmv9Q4oOQKHPcncanlYiVRw8nf8hGZdeOonFnP
187jWDG1djdJ9a4QUcc94aNJ3v2ySb1xIAdtHc1MZLLjtXg5XMmoTujN0Ihs10E2
MgU0eveLoaD69vHeIpgaA7bXydSEYAIiXwkCQkcU06za1y7pmTMIPgscaLdu9HGs
kW0YvLRlEh1liOUb/GSutqKf7Z/xW8n1P/eOtjghJRpVK+g5p1LpFiVm0Fa8+Kvq
hJb9LchDsq8b6ATzBtF7AICq2VRHuSvQK/DEM3D6lf2N6tcnP5aKHqtoMKyaJXi1
k/O/KWXTTHFpRUM5gp1R5GeL1V6uapgt6hlLK2/bHB9lC079njD5Sp5jdBvuIqNf
+LdeBm7nVZVam7t91ycqU3kOF8Doy6x3Pt3T9tV7qkggcq+nogTUmoH0T/QaFpI/
JQPTDVY0rmCeuJgUYS3EYYg8wLG9bDTybD+L32XRp6XMXZcTAVrasyRXvpQmHuaG
KCYRZky/tysïT0
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

RHSA-2023:3097: Red Hat Security Advisory: gssntlmssp security update

An update for gssntlmssp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25563: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. Multiple out-of-bounds reads occur when decoding NTLM fields and can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of the consistency of the length of internal buffers. Although most app...

RHSA-2023:3097: Red Hat Security Advisory: gssntlmssp security update

An update for gssntlmssp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25563: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. Multiple out-of-bounds reads occur when decoding NTLM fields and can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of the consistency of the length of internal buffers. Although most app...

RHSA-2023:3097: Red Hat Security Advisory: gssntlmssp security update

An update for gssntlmssp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25563: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. Multiple out-of-bounds reads occur when decoding NTLM fields and can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of the consistency of the length of internal buffers. Although most app...

RHSA-2023:3097: Red Hat Security Advisory: gssntlmssp security update

An update for gssntlmssp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25563: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. Multiple out-of-bounds reads occur when decoding NTLM fields and can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of the consistency of the length of internal buffers. Although most app...

RHSA-2023:3097: Red Hat Security Advisory: gssntlmssp security update

An update for gssntlmssp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25563: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. Multiple out-of-bounds reads occur when decoding NTLM fields and can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of the consistency of the length of internal buffers. Although most app...

CVE-2023-25565: Release Patched several CVEs reported by GitHub Security Lab · gssapi/gss-ntlmssp

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.

CVE-2023-25565: Release Patched several CVEs reported by GitHub Security Lab · gssapi/gss-ntlmssp

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.

CVE-2023-25564: GHSL-2023-013: Memory corruption decoding UTF16 · gssapi/gss-ntlmssp@c753000

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, memory corruption can be triggered when decoding UTF16 strings. The variable `outlen` was not initialized and could cause writing a zero to an arbitrary place in memory if `ntlm_str_convert()` were to fail, which would leave `outlen` uninitialized. This can lead to a denial of service if the write hits unmapped memory or randomly corrupts a byte in the application memory space. This vulnerability can trigger an out-of-bounds write, leading to memory corruption. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This issue is fixed in version 1.2.0.

CVE-2023-25565: Release Patched several CVEs reported by GitHub Security Lab · gssapi/gss-ntlmssp

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.

CVE-2023-25565: Release Patched several CVEs reported by GitHub Security Lab · gssapi/gss-ntlmssp

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.

CVE-2023-25566: Memory leak when parsing usernames

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, a memory leak can be triggered when parsing usernames which can trigger a denial-of-service. The domain portion of a username may be overridden causing an allocated memory area the size of the domain name to be leaked. An attacker can leak memory via the main `gss_accept_sec_context` entry point, potentially causing a denial-of-service. This issue is fixed in version 1.2.0.

CVE-2023-25563: Out-of-bounds read in multiple decode functions · gssapi/gss-ntlmssp@97c62c6

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, multiple out-of-bounds reads when decoding NTLM fields can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of consistency of length of internal buffers. Although most applications will error out before accepting a singe input buffer of 4GB in length this could theoretically happen. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point if the application allows tokens greater than 4GB in length. This can lead to a large, up to 65KB, out-of-bounds read which could cause a denial-of-service if it reads from unmapped memory. Version 1.2.0 contains a patch for the out-of-bounds reads.

CVE-2023-25567: Out-of-bounds read when decoding target information

GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication, has an out-of-bounds read when decoding target information prior to version 1.2.0. The length of the `av_pair` is not checked properly for two of the elements which can trigger an out-of-bound read. The out-of-bounds read can be triggered via the main `gss_accept_sec_context` entry point and could cause a denial-of-service if the memory is unmapped. The issue is fixed in version 1.2.0.

CVE-2023-25565: Release Patched several CVEs reported by GitHub Security Lab · gssapi/gss-ntlmssp

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution