CVE-2017-17439 — heimdal - security update

Description

In Heimdal through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. The parser would unconditionally dereference NULL pointers in that case, leading to a segmentation fault. This is related to the _kdc_as_rep function in kdc/kerberos5.c and the der_length_visible_string function in lib/asn1/der_length.c.

How to fix CVE-2017-17439

To remediate CVE-2017-17439, upgrade the affected package to a fixed version below.

—upgrade to 7.4.0-r2 or later
—upgrade to 7.5.0+dfsg-1 or later
—upgrade to 7.1.0+dfsg-13+deb9u2 or later

Is CVE-2017-17439 being exploited?

Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 7.4.0-r2
from 0, < 7.5.0+dfsg-1
from 0, < 7.1.0+dfsg-13+deb9u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2017-17439
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-17439