<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Zeek (&lt; 8.0.9) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/zeek--8.0.9/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 15:20:09 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/zeek--8.0.9/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-60109 - Zeek Kerberos Protocol Analyzer Null Pointer Dereference</title><link>https://feed.craftedsignal.io/briefs/2026-07-zeek-kerberos-dos/</link><pubDate>Thu, 09 Jul 2026 15:20:09 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-zeek-kerberos-dos/</guid><description>A null pointer dereference vulnerability (CVE-2026-60109) exists in Zeek's Kerberos protocol analyzer before version 8.0.9, allowing unauthenticated remote attackers to crash a Zeek sensor by sending a specially crafted KRB_ERROR message with error-code 25 and specific PA-DATA elements, leading to a denial-of-service condition.</description><content:encoded><![CDATA[<p>A critical denial-of-service vulnerability, identified as CVE-2026-60109, impacts Zeek versions prior to 8.0.9. This flaw resides within Zeek's Kerberos protocol analyzer, specifically due to a null pointer dereference. Unauthenticated remote attackers can exploit this vulnerability by sending a meticulously crafted <code>KRB_ERROR</code> message. The malicious message must contain <code>error-code 25</code> (KDC_ERR_PREAUTH_REQUIRED) and include a <code>PA-DATA</code> element with <code>padata-type 2, 3, 11, or 19</code>. This specific combination triggers a mismatch between the parser and analyzer states, leading <code>proc_padata()</code> to dereference an uninitialized <code>pa_data_element</code> field. The exploitation requires only a single UDP or TCP packet sent to port 88, without requiring any credentials or prior authentication, and results in the Zeek sensor crashing, effectively causing a denial of service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker crafts a specialized Kerberos <code>KRB_ERROR</code> message.</li>
<li>The crafted message includes <code>error-code 25</code>, which corresponds to <code>KDC_ERR_PREAUTH_REQUIRED</code>.</li>
<li>Within the <code>KRB_ERROR</code> message, a <code>PA-DATA</code> element is embedded with a <code>padata-type</code> specifically set to <code>2, 3, 11, or 19</code>.</li>
<li>The attacker sends this single, malformed UDP or TCP packet to a vulnerable Zeek sensor's port 88.</li>
<li>The Zeek sensor's Kerberos protocol analyzer, <code>proc_padata()</code>, attempts to process the incoming <code>KRB_ERROR</code> message.</li>
<li>Due to an internal parser and analyzer state mismatch, <code>proc_padata()</code> incorrectly dereferences an uninitialized <code>pa_data_element</code> field.</li>
<li>This dereference of a null pointer causes a critical error within the Zeek application.</li>
<li>The Zeek sensor application crashes entirely, resulting in a denial-of-service condition for network monitoring and analysis.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-60109 leads directly to a denial-of-service (DoS) for the affected Zeek sensor. This means that organizations relying on Zeek for network security monitoring, intrusion detection, or forensic analysis will temporarily lose visibility into their network traffic from the crashed sensor. The impact can be severe for organizations with critical network infrastructure or strict compliance requirements, as it can create blind spots for threat detection and incident response, potentially allowing other malicious activities to go unnoticed while the sensor is offline.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching Zeek instances to version 8.0.9 or later immediately to remediate CVE-2026-60109.</li>
<li>Monitor network traffic for unusual Kerberos <code>KRB_ERROR</code> messages specifically targeting port 88 with <code>error-code 25</code> and <code>PA-DATA</code> elements containing <code>padata-type 2, 3, 11, or 19</code>. While detailed detection requires deep packet inspection, anomalous traffic patterns can be indicators.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>vulnerability</category><category>network</category><category>dos</category><category>zeek</category><category>kerberos</category></item><item><title>CVE-2026-60108 - Zeek FTP Analyzer Uncontrolled Memory Consumption leading to DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-zeek-ftp-dos/</link><pubDate>Thu, 09 Jul 2026 15:19:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-zeek-ftp-dos/</guid><description>An uncontrolled memory consumption vulnerability in the Zeek FTP analyzer, versions prior to 8.0.9, allows unauthenticated remote attackers to cause process termination and denial of service of the Zeek sensor. This occurs when a crafted FTP control session with AUTH GSSAPI and a large ADAT control line exploits the NVT_Analyzer component's lack of a maximum line length check, leading to an unbounded internal buffer during base64 decoding.</description><content:encoded><![CDATA[<p>Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor. This vulnerability, tracked as CVE-2026-60108, impacts versions prior to 8.0.9 and poses a significant risk to the availability and stability of network monitoring operations where Zeek sensors are deployed, as it can be triggered remotely without authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Unauthenticated remote attacker establishes an FTP control connection to a vulnerable Zeek sensor.</li>
<li>Attacker sends a crafted FTP command to initiate GSSAPI authentication negotiation within the session.</li>
<li>Zeek's FTP analyzer, specifically the NVT_Analyzer component, begins processing the GSSAPI authentication.</li>
<li>Attacker sends an excessively large Authentication Data (ADAT) control line within the ongoing FTP control session.</li>
<li>The NVT_Analyzer attempts to base64 decode the large ADAT token without an internal buffer size limit.</li>
<li>The NVT_Analyzer continuously allocates and reallocates memory, doubling its buffer size without bounds, in an attempt to handle the oversized input.</li>
<li>This uncontrolled memory consumption rapidly exhausts the Zeek sensor's available system resources.</li>
<li>The Zeek sensor process terminates unexpectedly, resulting in a complete denial of service for the network monitoring system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-60108 results in the unauthenticated remote termination of the Zeek sensor process. This leads to a denial of service, rendering the Zeek instance incapable of network traffic analysis and security monitoring. For organizations relying on Zeek for critical threat detection, incident response, and compliance logging, this means a complete loss of visibility over network activity during the attack, potentially allowing other malicious activities to go undetected.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-60108 immediately by updating all affected Zeek installations to version 8.0.9 or later to address the uncontrolled memory consumption vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cve</category><category>dos</category><category>zeek</category><category>network-protocol</category><category>vulnerability</category></item></channel></rss>