PT-2023-20164 · Unknown+3 · Gss-Ntlmssp+3
Philipturnbull
·
Publicado
2023-02-12
·
Atualizado
2023-05-16
·
CVE-2023-25566
CVSS v2.0
7.8
Alta
| Vetor | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
GSS-NTLMSSP versions prior to 1.2.0
Description
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. A memory leak can be triggered when parsing usernames, potentially causing a denial-of-service. The domain portion of a username may be overridden, causing an allocated memory area the size of the domain name to be leaked. An attacker can leak memory via the main
gss accept sec context entry point.Recommendations
For versions prior to 1.2.0, update to version 1.2.0 to resolve the issue. As a temporary workaround, consider restricting the use of the
gss accept sec context entry point to minimize the risk of exploitation.Exploit
Correção
DoS
Memory Leak
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Almalinux
Centos
Gss-Ntlmssp
Red Hat