製品・ソフトウェアに関する情報

JVN脆弱性詳細

Heimdal における NULL ポインタデリファレンスに関する脆弱性

Title	Heimdal における NULL ポインタデリファレンスに関する脆弱性
Summary	Heimdal には、NULL ポインタデリファレンスに関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 8, 2017, midnight
Registration Date	Jan. 11, 2018, 4:57 p.m.
Last Update	Jan. 11, 2018, 4:57 p.m.

Affected System

Debian

Debian GNU/Linux 9.0

Heimdal

Heimdal 7.4 まで

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-17439	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17439
National Vulnerability Database (NVD)
2	CVE-2017-17439	https://nvd.nist.gov/vuln/detail/CVE-2017-17439

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-476	http://cwe.mitre.org/data/definitions/476.html

ベンダー情報

No	Name	URL
Debian Bug report logs
1	878144	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144
Debian Security Advisory
2	DSA-4055	https://www.debian.org/security/2017/dsa-4055
GitHub
3	Remote unauthenticated DoS in Heimdal-KDC 7.1 #353	https://github.com/heimdal/heimdal/issues/353
4	Security: Avoid NULL structure pointer member dereference	https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887
Heimdal
5	[Heimdal-announce] Heimdal 7.5 security release announcement.	http://www.h5l.org/pipermail/heimdal-announce/2017-December/000008.html
Heimdal security advisories
6	Fix remote DoS via unauthenticated UDP packet	http://h5l.org/advisories.html?show=2017-12-08

Change Log

No	Changed Details	Date of change
0	[2018年01月11日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-17439

Summary	In Heimdal through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. The parser would unconditionally dereference NULL pointers in that case, leading to a segmentation fault. This is related to the _kdc_as_rep function in kdc/kerberos5.c and the der_length_visible_string function in lib/asn1/der_length.c.
Publication Date	Dec. 7, 2017, 12:29 a.m.
Registration Date	Jan. 26, 2021, 1:19 p.m.
Last Update	Nov. 21, 2024, 12:17 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:heimdal_project:heimdal::::::::			7.4.0

Related information, measures and tools

No	URL	タグ
1	http://h5l.org/advisories.html?show=2017-12-08
2	http://h5l.org/advisories.html?show=2017-12-08
3	http://www.h5l.org/pipermail/heimdal-announce/2017-December/000008.html
4	http://www.h5l.org/pipermail/heimdal-announce/2017-December/000008.html
5	http://www.h5l.org/pipermail/heimdal-discuss/2017-August/000259.html	Third Party Advisory
6	http://www.h5l.org/pipermail/heimdal-discuss/2017-August/000259.html	Third Party Advisory
7	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144	Issue Tracking Mailing List Third Party Advisory
8	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144	Issue Tracking Mailing List Third Party Advisory
9	https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887	Third Party Advisory
10	https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887	Third Party Advisory
11	https://github.com/heimdal/heimdal/issues/353	Patch Third Party Advisory
12	https://github.com/heimdal/heimdal/issues/353	Patch Third Party Advisory
13	https://www.debian.org/security/2017/dsa-4055	Third Party Advisory
14	https://www.debian.org/security/2017/dsa-4055	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-476	NULL ポインタデリファレンス	https://cwe.mitre.org/data/definitions/476.html