SB2025062352 - Ubuntu update for gss-ntlmssp

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2023-25563)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when decoding NTLM fields. A remote attacker can send specially crafted NTLM request to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

2) Out-of-bounds read (CVE-ID: CVE-2023-25567)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when decoding target information. A remote attacker can send specially crafted NTLM request to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

3) Out-of-bounds write (CVE-ID: CVE-2023-25564)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary in the ntlm_str_convert() function error when decoding UTF16 strings. A remote attacker can send specially crafted NTLM request to the application, trigger an out-of-bounds write error and perform a denial of service (DoS) attack.

4) Release of invalid pointer or reference (CVE-ID: CVE-2023-25565)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when decoding target information. A remote attacker can send specially crafted NTLM request to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-7588-1