GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the cb and sh buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main gss_accept_sec_context entry point. This will likely trigger an assertion failure in free, causing a denial-of-service. This issue is fixed in version 1.2.0.
The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gss-ntlmssp | Gss-ntlmssp_project | * | 1.2.0 (excluding) |
| Gss-ntlmssp | Ubuntu | bionic | * |
| Gss-ntlmssp | Ubuntu | kinetic | * |
| Gss-ntlmssp | Ubuntu | lunar | * |
| Gss-ntlmssp | Ubuntu | mantic | * |
| Gss-ntlmssp | Ubuntu | trusty | * |
| Gss-ntlmssp | Ubuntu | xenial | * |
| Red Hat Enterprise Linux 8 | RedHat | gssntlmssp-0:1.2.0-1.el8_8 | * |