{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zeek/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-60109"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zeek (\u003c 8.0.9)"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","network","dos","zeek","kerberos"],"_cs_type":"advisory","_cs_vendors":["Zeek Project"],"content_html":"\u003cp\u003eA critical denial-of-service vulnerability, identified as CVE-2026-60109, impacts Zeek versions prior to 8.0.9. This flaw resides within Zeek's Kerberos protocol analyzer, specifically due to a null pointer dereference. Unauthenticated remote attackers can exploit this vulnerability by sending a meticulously crafted \u003ccode\u003eKRB_ERROR\u003c/code\u003e message. The malicious message must contain \u003ccode\u003eerror-code 25\u003c/code\u003e (KDC_ERR_PREAUTH_REQUIRED) and include a \u003ccode\u003ePA-DATA\u003c/code\u003e element with \u003ccode\u003epadata-type 2, 3, 11, or 19\u003c/code\u003e. This specific combination triggers a mismatch between the parser and analyzer states, leading \u003ccode\u003eproc_padata()\u003c/code\u003e to dereference an uninitialized \u003ccode\u003epa_data_element\u003c/code\u003e field. The exploitation requires only a single UDP or TCP packet sent to port 88, without requiring any credentials or prior authentication, and results in the Zeek sensor crashing, effectively causing a denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker crafts a specialized Kerberos \u003ccode\u003eKRB_ERROR\u003c/code\u003e message.\u003c/li\u003e\n\u003cli\u003eThe crafted message includes \u003ccode\u003eerror-code 25\u003c/code\u003e, which corresponds to \u003ccode\u003eKDC_ERR_PREAUTH_REQUIRED\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eKRB_ERROR\u003c/code\u003e message, a \u003ccode\u003ePA-DATA\u003c/code\u003e element is embedded with a \u003ccode\u003epadata-type\u003c/code\u003e specifically set to \u003ccode\u003e2, 3, 11, or 19\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this single, malformed UDP or TCP packet to a vulnerable Zeek sensor's port 88.\u003c/li\u003e\n\u003cli\u003eThe Zeek sensor's Kerberos protocol analyzer, \u003ccode\u003eproc_padata()\u003c/code\u003e, attempts to process the incoming \u003ccode\u003eKRB_ERROR\u003c/code\u003e message.\u003c/li\u003e\n\u003cli\u003eDue to an internal parser and analyzer state mismatch, \u003ccode\u003eproc_padata()\u003c/code\u003e incorrectly dereferences an uninitialized \u003ccode\u003epa_data_element\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThis dereference of a null pointer causes a critical error within the Zeek application.\u003c/li\u003e\n\u003cli\u003eThe Zeek sensor application crashes entirely, resulting in a denial-of-service condition for network monitoring and analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-60109 leads directly to a denial-of-service (DoS) for the affected Zeek sensor. This means that organizations relying on Zeek for network security monitoring, intrusion detection, or forensic analysis will temporarily lose visibility into their network traffic from the crashed sensor. The impact can be severe for organizations with critical network infrastructure or strict compliance requirements, as it can create blind spots for threat detection and incident response, potentially allowing other malicious activities to go unnoticed while the sensor is offline.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching Zeek instances to version 8.0.9 or later immediately to remediate CVE-2026-60109.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual Kerberos \u003ccode\u003eKRB_ERROR\u003c/code\u003e messages specifically targeting port 88 with \u003ccode\u003eerror-code 25\u003c/code\u003e and \u003ccode\u003ePA-DATA\u003c/code\u003e elements containing \u003ccode\u003epadata-type 2, 3, 11, or 19\u003c/code\u003e. While detailed detection requires deep packet inspection, anomalous traffic patterns can be indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T15:20:09Z","date_published":"2026-07-09T15:20:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-zeek-kerberos-dos/","summary":"A null pointer dereference vulnerability (CVE-2026-60109) exists in Zeek's Kerberos protocol analyzer before version 8.0.9, allowing unauthenticated remote attackers to crash a Zeek sensor by sending a specially crafted KRB_ERROR message with error-code 25 and specific PA-DATA elements, leading to a denial-of-service condition.","title":"CVE-2026-60109 - Zeek Kerberos Protocol Analyzer Null Pointer Dereference","url":"https://feed.craftedsignal.io/briefs/2026-07-zeek-kerberos-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-60108"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zeek (\u003c 8.0.9)"],"_cs_severities":["medium"],"_cs_tags":["cve","dos","zeek","network-protocol","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Zeek"],"content_html":"\u003cp\u003eZeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor. This vulnerability, tracked as CVE-2026-60108, impacts versions prior to 8.0.9 and poses a significant risk to the availability and stability of network monitoring operations where Zeek sensors are deployed, as it can be triggered remotely without authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUnauthenticated remote attacker establishes an FTP control connection to a vulnerable Zeek sensor.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted FTP command to initiate GSSAPI authentication negotiation within the session.\u003c/li\u003e\n\u003cli\u003eZeek's FTP analyzer, specifically the NVT_Analyzer component, begins processing the GSSAPI authentication.\u003c/li\u003e\n\u003cli\u003eAttacker sends an excessively large Authentication Data (ADAT) control line within the ongoing FTP control session.\u003c/li\u003e\n\u003cli\u003eThe NVT_Analyzer attempts to base64 decode the large ADAT token without an internal buffer size limit.\u003c/li\u003e\n\u003cli\u003eThe NVT_Analyzer continuously allocates and reallocates memory, doubling its buffer size without bounds, in an attempt to handle the oversized input.\u003c/li\u003e\n\u003cli\u003eThis uncontrolled memory consumption rapidly exhausts the Zeek sensor's available system resources.\u003c/li\u003e\n\u003cli\u003eThe Zeek sensor process terminates unexpectedly, resulting in a complete denial of service for the network monitoring system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-60108 results in the unauthenticated remote termination of the Zeek sensor process. This leads to a denial of service, rendering the Zeek instance incapable of network traffic analysis and security monitoring. For organizations relying on Zeek for critical threat detection, incident response, and compliance logging, this means a complete loss of visibility over network activity during the attack, potentially allowing other malicious activities to go undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-60108 immediately by updating all affected Zeek installations to version 8.0.9 or later to address the uncontrolled memory consumption vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T15:19:23Z","date_published":"2026-07-09T15:19:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-zeek-ftp-dos/","summary":"An uncontrolled memory consumption vulnerability in the Zeek FTP analyzer, versions prior to 8.0.9, allows unauthenticated remote attackers to cause process termination and denial of service of the Zeek sensor. This occurs when a crafted FTP control session with AUTH GSSAPI and a large ADAT control line exploits the NVT_Analyzer component's lack of a maximum line length check, leading to an unbounded internal buffer during base64 decoding.","title":"CVE-2026-60108 - Zeek FTP Analyzer Uncontrolled Memory Consumption leading to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-zeek-ftp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Zeek","version":"https://jsonfeed.org/version/1.1"}