CVE-2021-44758: 
NixOS vulnerability analysis and mitigation

Heimdal before version 7.7.1 contains a vulnerability that allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor. The vulnerability was discovered in the SPNEGO token handling mechanism and was assigned CVE-2021-44758. The issue affects server applications that use SPNEGO for authentication (GitHub Advisory, Ubuntu Security).

The vulnerability occurs when send_accept() is called with a non-zero 'initial_response' and fails to handle the case where gssspnego_ctx.preferred_mech_type equals GSS_C_NO_OID. The issue stems from the acceptor_start() function's behavior when no mechanism is selected. The vulnerability has been present since the initial revision of gssapi/spnego but might not have been exercised until later revisions (GitHub Commit).

This vulnerability results in a denial of service (DoS) condition when an initial SPNEGO token with no acceptable mechanisms is processed by the server. The impact is limited to availability, with no direct effects on confidentiality or integrity of the system (GitHub Advisory, Ubuntu Security).

The primary mitigation is to upgrade to Heimdal version 7.7.1 or later. For systems unable to upgrade immediately, a temporary workaround is to disable SPNEGO in the application. Various Linux distributions have released patched versions: Ubuntu 20.04 LTS (7.7.0+dfsg-1ubuntu1.3), Ubuntu 18.04 LTS (7.5.0+dfsg-1ubuntu0.3), and Ubuntu 16.04 ESM (1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm3) (Ubuntu Security).