Login Sign Up

CVE-2023-25567

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-25567 is an out-of-bounds read vulnerability in GSS-NTLMSSP, a plugin for GSSAPI that handles NTLM authentication. Attackers can trigger this vulnerability through the gss_accept_sec_context function, potentially causing denial-of-service by reading unmapped memory. Systems using GSS-NTLMSSP versions before 1.2.0 for NTLM authentication are affected.

💻 Affected Systems

Products:
  • GSS-NTLMSSP
Versions: All versions before 1.2.0
Operating Systems: Linux, Unix-like systems using GSSAPI with NTLM
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using GSS-NTLMSSP for NTLM authentication via GSSAPI.

📦 What is this software?

Gss Ntlmssp by Gss Ntlmssp Project

View all CVEs affecting Gss Ntlmssp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution if combined with other vulnerabilities, or complete service disruption via denial-of-service.

🟠

Likely Case

Denial-of-service causing authentication failures and service disruption.

🟢

If Mitigated

Minimal impact with proper memory protections and monitoring.

🌐 Internet-Facing: MEDIUM - Requires NTLM authentication exposure and specific conditions.
🏢 Internal Only: LOW - Typically requires internal network access and authentication attempts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires triggering NTLM authentication via gss_accept_sec_context.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0

Vendor Advisory: https://github.com/gssapi/gss-ntlmssp/security/advisories/GHSA-24pf-6prf-24ch

Restart Required: Yes

Instructions:

1. Download gss-ntlmssp 1.2.0 from GitHub releases. 2. Stop services using GSS-NTLMSSP. 3. Install the new version using your package manager or from source. 4. Restart affected services.

🔧 Temporary Workarounds

Disable NTLM authentication

all

Disable NTLM authentication in applications using GSSAPI if not required.

Configure applications to use alternative authentication methods like Kerberos

Network segmentation

all

Restrict access to services using GSS-NTLMSSP to trusted networks only.

Use firewall rules to limit access to affected services

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Monitor for authentication failures and unusual memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check if gss-ntlmssp is installed and version is below 1.2.0

Check Version:

gss-ntlmssp --version or check package manager (rpm -q gss-ntlmssp, dpkg -l gss-ntlmssp)

Verify Fix Applied:

Verify gss-ntlmssp version is 1.2.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Authentication failures
  • Unexpected service crashes
  • Memory access violation logs

Network Indicators:

  • Multiple NTLM authentication attempts
  • Unusual traffic to authentication services

SIEM Query:

source="*auth.log*" AND ("gss_accept_sec_context" OR "NTLM" AND "failure")

📊 Metadata

CVE ID: CVE-2023-25567
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: February 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25567, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)