GNU SASL DIGEST-MD5 NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the DIGEST-MD5 implementation of GNU SASL, affecting versions prior to 2.2.3. This vulnerability arises from missing input validation in the DIGEST-MD5 parser, specifically in the 'lib/digest-md5/getsubopt.c' file. When a known token is received without an accompanying '=' character, the parser sets the value to NULL. This NULL value is then used by the parser's response handling functions, leading to a segmentation fault and process crash. The issue can be exploited by sending a malformed SASL response during the AUTHENTICATE exchange, causing applications that use GNU SASL for DIGEST-MD5 authentication to crash.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the application that uses GNU SASL for DIGEST-MD5 authentication. This has been observed in real-world scenarios, such as with the GNU Mailutils IMAP server, where the process crashes during an authenticated exchange.

Reproduction

The vulnerability can be reproduced by compiling a C program that uses the GNU SASL library. The program should initiate a DIGEST-MD5 authentication exchange, then send a malformed response that includes a known token without an '=' character. This will trigger the NULL pointer dereference when the server attempts to process the response.

Remediation

Users are advised to upgrade to GNU SASL version 2.2.3 or later, or to disable DIGEST-MD5 authentication. For those using Debian, the update is available in the Debian Security Advisory DSA-6271-1.