CVE-2021-36222 : ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Ke

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

Published 2021-07-22 18:15:23

Updated 2021-11-28 23:19:44

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2021-36222

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5
Versions before (<) 1.18.4
cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5
Versions from including (>=) 1.19.0 and before (<) 1.19.2
cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Server
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.0.26
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Workflow Automation » Version: N/A
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Insight » Version: N/A
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Windows
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-36222

EPSS FAQ

5.78%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-36222

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-36222

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-36222

https://github.com/krb5/krb5/releases

Releases · krb5/krb5 · GitHub
Release Notes;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20211104-0007/

CVE-2021-36222 MIT Kerberos 5 Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562

Fix KDC null deref on bad encrypted challenge · krb5/krb5@fc98f52 · GitHub
Patch;Third Party Advisory
https://www.debian.org/security/2021/dsa-4944

Debian -- Security Information -- DSA-4944-1 krb5
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://web.mit.edu/kerberos/advisories/

Kerberos Security Advisories
Not Applicable

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20211022-0003/

October 2021 MySQL Server Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-36222

Products affected by CVE-2021-36222

Exploit prediction scoring system (EPSS) score for CVE-2021-36222

CVSS scores for CVE-2021-36222

CWE ids for CVE-2021-36222

References for CVE-2021-36222