#VU65759 Out-of-bounds read in GNU SASL


Published: 2022-07-25

Vulnerability identifier: #VU65759

Vulnerability risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2469

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GNU SASL
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the "lib/gssapi/server.c". A remote authenticated GSS-API client can send specially crafted request to the GNU SASL server, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

GNU SASL: 0.0.0 - 2.0.0

External links
http://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2469.json
http://gitlab.com/gsasl/gsasl/-/commit/796e4197f696261c1f872d7576371232330bcc30

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS SP2 update for libgsasl
openEuler 22.03 LTS SP1 update for libgsasl
openEuler 22.03 LTS update for libgsasl
openEuler 20.03 LTS SP4 update for libgsasl
openEuler 20.03 LTS SP1 update for libgsasl
openEuler 22.03 LTS SP3 update for libgsasl
Ubuntu update for gsasl
SUSE update for libgsasl
SUSE update for libgsasl
SUSE update for libgsasl