Headline
RHSA-2023:3097: Red Hat Security Advisory: gssntlmssp security update
An update for gssntlmssp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-25563: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. Multiple out-of-bounds reads occur when decoding NTLM fields and can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of the consistency of the length of internal buffers. Although most applications will error out before accepting a single input buffer of 4GB in length, this issue can happen. This vulnerability can be triggered via the main
gss_accept_sec_contextentry point if the application allows tokens greater than 4GB in length, leading to a large, up to 65KB, out-of-bounds read, which could cause a denial of service if it reads from unmapped memory. - CVE-2023-25564: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. Memory corruption can be triggered when decoding UTF16 strings. The variable
outlenwas not initialized and could cause writing a zero to an arbitrary place in memory if thentlm_str_convert()fails, which would leaveoutlenuninitialized. This issue can lead to a denial of service if the write hits unmapped memory or randomly corrupts a byte in the application memory space. This vulnerability can trigger an out-of-bounds write, leading to memory corruption, and can be triggered via the maingss_accept_sec_contextentry point. - CVE-2023-25565: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. An incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the
cbandshbuffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the maingss_accept_sec_contextentry point. This issue will likely trigger an assertion failure infree,causing a denial of service. - CVE-2023-25566: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. A memory leak can be triggered when parsing usernames, triggering a denial of service. The domain portion of a username may be overridden, causing an allocated memory area the size of the domain name to be leaked. This flaw allows an attacker to leak memory via the main
gss_accept_sec_contextentry point, potentially causing a denial of service. - CVE-2023-25567: A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. It has an out-of-bounds read when decoding target information. The length of the
av_pairis not checked properly for two of the elements, which can trigger an out-of-bounds read via the maingss_accept_sec_contextentry point and could cause a denial of service if the memory is unmapped.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-16
Updated:
2023-05-16
RHSA-2023:3097 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: gssntlmssp security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for gssntlmssp is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The gssntlmssp is a GSSAPI NTLM mechanism that allows to perform NTLM authentication in GSSAPI programs.
Security Fix(es):
- gssntlmssp: multiple out-of-bounds read when decoding NTLM fields (CVE-2023-25563)
- gssntlmssp: memory corruption when decoding UTF16 strings (CVE-2023-25564)
- gssntlmssp: incorrect free when decoding target information (CVE-2023-25565)
- gssntlmssp: memory leak when parsing usernames (CVE-2023-25566)
- gssntlmssp: out-of-bounds read when decoding target information (CVE-2023-25567)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2172019 - CVE-2023-25563 gssntlmssp: multiple out-of-bounds read when decoding NTLM fields
- BZ - 2172020 - CVE-2023-25564 gssntlmssp: memory corruption when decoding UTF16 strings
- BZ - 2172021 - CVE-2023-25565 gssntlmssp: incorrect free when decoding target information
- BZ - 2172022 - CVE-2023-25566 gssntlmssp: memory leak when parsing usernames
- BZ - 2172023 - CVE-2023-25567 gssntlmssp: out-of-bounds read when decoding target information
CVEs
- CVE-2023-25563
- CVE-2023-25564
- CVE-2023-25565
- CVE-2023-25566
- CVE-2023-25567
Red Hat Enterprise Linux for x86_64 8
SRPM
gssntlmssp-1.2.0-1.el8_8.src.rpm
SHA-256: 533a86560850db622b181561cb6bfa5b125bd614c474e79941638c0cea5739da
x86_64
gssntlmssp-1.2.0-1.el8_8.x86_64.rpm
SHA-256: ffdde860e67150efce10fe878a91bd3ab9762d705e5214f74b26634a8cff14a4
gssntlmssp-debuginfo-1.2.0-1.el8_8.x86_64.rpm
SHA-256: cc926e0118e438abf941b13f9d3afc6d302936c0bd4546106fb7ecce080c3e5f
gssntlmssp-debugsource-1.2.0-1.el8_8.x86_64.rpm
SHA-256: 659e870a2fb9a68da3eaeb6443e95139b4be1b097fc876ac5bdca7b33f2a175d
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
gssntlmssp-1.2.0-1.el8_8.src.rpm
SHA-256: 533a86560850db622b181561cb6bfa5b125bd614c474e79941638c0cea5739da
s390x
gssntlmssp-1.2.0-1.el8_8.s390x.rpm
SHA-256: f582349b448db72c0488794757bd61e37edd1db3b941d321eebde0acd78ab03d
gssntlmssp-debuginfo-1.2.0-1.el8_8.s390x.rpm
SHA-256: 5707f25d42f510599c9134f6daffc9eada8e39f23ccf26ae1fc042437941632c
gssntlmssp-debugsource-1.2.0-1.el8_8.s390x.rpm
SHA-256: 3d788159cdbb45e5640925470ef5fcca0e7bf0eecaae259439891b24c46a4040
Red Hat Enterprise Linux for Power, little endian 8
SRPM
gssntlmssp-1.2.0-1.el8_8.src.rpm
SHA-256: 533a86560850db622b181561cb6bfa5b125bd614c474e79941638c0cea5739da
ppc64le
gssntlmssp-1.2.0-1.el8_8.ppc64le.rpm
SHA-256: a55af5ab7081abc16db52def9532ff6be1a18433e068dfb2159fd9d536bb839f
gssntlmssp-debuginfo-1.2.0-1.el8_8.ppc64le.rpm
SHA-256: 75347c231311daf659104615342a315afa8ec7119e203aa15a9d2acc41e9086e
gssntlmssp-debugsource-1.2.0-1.el8_8.ppc64le.rpm
SHA-256: aa539c11dbdc7727efd35935365d65289bf043408f8333a421d728d11665156a
Red Hat Enterprise Linux for ARM 64 8
SRPM
gssntlmssp-1.2.0-1.el8_8.src.rpm
SHA-256: 533a86560850db622b181561cb6bfa5b125bd614c474e79941638c0cea5739da
aarch64
gssntlmssp-1.2.0-1.el8_8.aarch64.rpm
SHA-256: 11c8e199149a71ec4cdc7800d49176ba269aafe34879082b595e9fac4a07a1aa
gssntlmssp-debuginfo-1.2.0-1.el8_8.aarch64.rpm
SHA-256: 97166a54e1176d1986f3b285b46c5af2b44ca82ef9ed91eed5e334e29aac4444
gssntlmssp-debugsource-1.2.0-1.el8_8.aarch64.rpm
SHA-256: ed72b4948fa0d39efd1913380749110fa93d5e2e5718351b5760c2e3b7c77522
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-3097-01 - The gssntlmssp is a GSSAPI NTLM mechanism that allows to perform NTLM authentication in GSSAPI programs. Issues addressed include memory leak and out of bounds read vulnerabilities.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, multiple out-of-bounds reads when decoding NTLM fields can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of consistency of length of internal buffers. Although most applications will error out before accepting a singe input buffer of 4GB in length this could theoretically happen. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point if the application allows tokens greater than 4GB in length. This can lead to a large, up to 65KB, out-of-bounds read which could cause a denial-of-service if it reads from unmapped memory. Version 1.2.0 contains a patch for the out-of-bounds reads.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, memory corruption can be triggered when decoding UTF16 strings. The variable `outlen` was not initialized and could cause writing a zero to an arbitrary place in memory if `ntlm_str_convert()` were to fail, which would leave `outlen` uninitialized. This can lead to a denial of service if the write hits unmapped memory or randomly corrupts a byte in the application memory space. This vulnerability can trigger an out-of-bounds write, leading to memory corruption. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This issue is fixed in version 1.2.0.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, a memory leak can be triggered when parsing usernames which can trigger a denial-of-service. The domain portion of a username may be overridden causing an allocated memory area the size of the domain name to be leaked. An attacker can leak memory via the main `gss_accept_sec_context` entry point, potentially causing a denial-of-service. This issue is fixed in version 1.2.0.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.
GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication, has an out-of-bounds read when decoding target information prior to version 1.2.0. The length of the `av_pair` is not checked properly for two of the elements which can trigger an out-of-bound read. The out-of-bounds read can be triggered via the main `gss_accept_sec_context` entry point and could cause a denial-of-service if the memory is unmapped. The issue is fixed in version 1.2.0.
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.